implementing password lockout
j.lu at tiesse.com
Fri Jan 30 20:48:24 GMT 2004
> Overall, I have to say "nice patch". A few comments, though. When the
> lockout duration and/or reset time policies are set to 0, they function as
> zero-duration, rather than turning off. We need to be able to have these
> both be infinite, so I think zero should be infinite (because zero-length
> lockout and rest time are both meaningless).
> Thanks again,
Thanks for your attention on my patch, but which patch are you talking?
Because in my patch sent on 01/20/2004 I have patched also the pdbedit to
reflect the "duration time" and the "reset count time" every time you
use pdbedit -v -u user to show user's account. Also I have checked the
"never time" when its value is 0xFFFFFFFF (I think that NT do this), using
pdbedit "-C -1" in account policy value for "duration" and "reset count
time". I have also patched "api rpc SAMR QueryUserInfo" to reflect the
"duration time" and "reset count time".
I agree with you for that the account policy should be in passdb backend,
but I think also that the account policy is not changed frequently,
in general it is set at the begining of the work. So I think that we can
always copy the account policy to BDCs when it is set at the begining of the
work on PDC.
More information about the samba-technical