Passowrd policy patch on Samba-3.0.2 for LDAP backend

Andrew Bartlett abartlet at
Fri Feb 20 05:28:10 GMT 2004

On Fri, 2004-02-20 at 15:38, Jim McDonough wrote:
> >> Next, I'm declaring that I don't like magic uint32 values of
> >> mean turn off duration, lockout count, and reset count time,
> because even 0
> >> would be a silly value to be a valid other words,
> having a
> >> lockout count of 0 would lock everyone out, a reset count of 0
> would reset
> >> everyone's badpw counter every time, and duration of 0 would reset
> >> everyones lockout flag immediately.  So 0 means these policies are
> turned
> >> off.
> >These values are defined by Microsoft, not us.  You should be able to
> >set them from User Mangler, or get them via vampire, for example.
> Upon examining further, these are not the values defined by microsoft.

Sorry - I meant to clarify that in my mail.  These values should be as
defined by microsoft, the contents of the patch may vary ;-)

>   Account lockout disabled is a short, and 0 means no account lockout,
> not -1.  And -1 for time (as a time_t, _not_ 0xFFFFFFFF...this will
> bite us on 64-bit platforms) does happen to be what we define by
> convention to be infinite time.  It's not a microsoft definition.
> The other reason I'd done this is that this patch has a MS
> land, for example, you can _never_ have a 0 duration for any of these,
> and if you don't define the policy, that's what we initialize it to.
> I'll switch the values back, but we also need to handle the case where
> the time is set to 0, which is invalid.


Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list