implementing password lockout

Andrew Bartlett abartlet at samba.org
Fri Jan 30 20:58:33 GMT 2004 

On Sat, 2004-01-31 at 07:48, Jianliang Lu wrote:
> > Overall, I have to say "nice patch".  A few comments, though.  When the
> > lockout duration and/or reset time policies are set to 0, they function as
> > zero-duration, rather than turning off.  We need to be able to have these
> > both be infinite, so I think zero should be infinite (because zero-length
> > lockout and rest time are both meaningless).
> > 
> > 
> > Thanks again,
> > Jim
> > 
> 
> Thanks for your attention on my patch, but which patch are you talking?
> Because in my patch sent on 01/20/2004 I have patched also the pdbedit to 
> reflect the "duration time" and the "reset count time" every time you 
> use pdbedit -v -u user to show user's account. Also I have checked the 
> "never time" when its value is 0xFFFFFFFF (I think that NT do this), using 
> pdbedit "-C -1" in account policy value for "duration" and "reset count 
> time". I have also patched  "api rpc SAMR QueryUserInfo" to reflect the 
> "duration time" and "reset count time".
> 
> I agree with you for that the account policy should be in passdb backend,
> but I think  also that the account policy is not changed frequently, 
> in general it is set at the begining of the work. So I think that we can 
> always copy the account policy to BDCs when it is set at the begining of the 
> work on PDC.

That is a short-term hack.  This information belongs in the passdb, and
we need patches to implement this.  It should not be that hard - for
ldap, I think such policies should probably be children of the
sambaDomain object.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040131/e671523e/attachment.bin

More information about the samba-technical mailing list