Passowrd policy patch on Samba-3.0.2 for LDAP backend
Jim McDonough
jmcd at us.ibm.com
Fri Feb 20 13:19:51 GMT 2004
>You could not set the reset count and duration to 0 with User Manager for
>Domain, the minimum value that could be set is 1 minute. Also, the pdbedit
>could be changed as well to prevent the 0 setting for these policies, and
>the "not policy" value could be -1, means forever, or some default value.
Yes, I agreed to fix this, but we still _must_ tolerate 0 being the same
thing as -1. You clearly didn't test your patch by not setting a reset
time...if you had, you'd have found that it always reset immediately. This
points out the need to handle 0 the same as -1. Making pdbedit enforce it
is fine, but declaring that usrmgr won't set it isn't enough to not handle
it. A user-written tool could set it to 0, or we could have an error
upgrading someone's account policy, or they could restore a bad one, and
there is no useful meaning for 0, so we need to handle it the same as -1,
absolutely, no question about it.
----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA
jmcd at us.ibm.com
jmcd at samba.org
Phone: (207) 885-5565
IBM tie-line: 776-9984
More information about the samba-technical
mailing list