implementing password lockout

Jianliang Lu at
Fri Jan 30 20:48:24 GMT 2004

> Overall, I have to say "nice patch".  A few comments, though.  When the
> lockout duration and/or reset time policies are set to 0, they function as
> zero-duration, rather than turning off.  We need to be able to have these
> both be infinite, so I think zero should be infinite (because zero-length
> lockout and rest time are both meaningless).
> Thanks again,
> Jim

Thanks for your attention on my patch, but which patch are you talking?
Because in my patch sent on 01/20/2004 I have patched also the pdbedit to 
reflect the "duration time" and the "reset count time" every time you 
use pdbedit -v -u user to show user's account. Also I have checked the 
"never time" when its value is 0xFFFFFFFF (I think that NT do this), using 
pdbedit "-C -1" in account policy value for "duration" and "reset count 
time". I have also patched  "api rpc SAMR QueryUserInfo" to reflect the 
"duration time" and "reset count time".

I agree with you for that the account policy should be in passdb backend,
but I think  also that the account policy is not changed frequently, 
in general it is set at the begining of the work. So I think that we can 
always copy the account policy to BDCs when it is set at the begining of the 
work on PDC.


More information about the samba-technical mailing list