Passowrd policy patch on Samba-3.0.2 for LDAP backend

Jim McDonough jmcd at
Fri Feb 20 04:38:35 GMT 2004

>> Next, I'm declaring that I don't like magic uint32 values of 0xFFFFFFFF
>> mean turn off duration, lockout count, and reset count time, because
even 0
>> would be a silly value to be a valid other words, having a
>> lockout count of 0 would lock everyone out, a reset count of 0 would
>> everyone's badpw counter every time, and duration of 0 would reset
>> everyones lockout flag immediately.  So 0 means these policies are
>> off.
>These values are defined by Microsoft, not us.  You should be able to
>set them from User Mangler, or get them via vampire, for example.
Upon examining further, these are not the values defined by microsoft.
Account lockout disabled is a short, and 0 means no account lockout, not
-1.  And -1 for time (as a time_t, _not_ 0xFFFFFFFF...this will bite us on
64-bit platforms) does happen to be what we define by convention to be
infinite time.  It's not a microsoft definition.

The other reason I'd done this is that this patch has a MS land,
for example, you can _never_ have a 0 duration for any of these, and if you
don't define the policy, that's what we initialize it to.

I'll switch the values back, but we also need to handle the case where the
time is set to 0, which is invalid.

Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074

jmcd at
jmcd at

Phone: (207) 885-5565
IBM tie-line: 776-9984

More information about the samba-technical mailing list