Passowrd policy patch on Samba-3.0.2 for LDAP backend

Jim McDonough jmcd at
Fri Feb 20 13:19:51 GMT 2004

>You could not set the reset count and duration to 0 with User Manager for

>Domain, the minimum value that could be set is 1 minute. Also, the pdbedit

>could be changed as well to prevent the 0 setting for these policies, and
>the "not policy" value could be -1, means forever, or some default value.
Yes, I agreed to fix this, but we still _must_ tolerate 0 being the same
thing as -1.  You clearly didn't test your patch by not setting a reset
time...if you had, you'd have found that it always reset immediately.  This
points out the need to handle 0 the same as -1.  Making pdbedit enforce it
is fine, but declaring that usrmgr won't set it isn't enough to not handle
it.  A user-written tool could set it to 0, or we could have an error
upgrading someone's account policy, or they could restore a bad one, and
there is no useful meaning for 0, so we need to handle it the same as -1,
absolutely, no question about it.

Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074

jmcd at
jmcd at

Phone: (207) 885-5565
IBM tie-line: 776-9984

More information about the samba-technical mailing list