Patch: fix interdom trusts (Only fetch password policy from pam)

Michael Adam ma at
Sat Dec 22 00:20:57 GMT 2007

Hi Jerry,

Gerald (Jerry) Carter wrote:
> I know this is a late comment but it appears you patch requires
> me to disable password policy support even for my own domain if I ever
> want to login from a trusted domain.  Correct ?

If I messed up anything, I should (and will) fix it, of course...

But I think you don't need to disable anything:

To my understanding, the change only prevents the password
policy to be retrieved in auth requests. The only effect, this
has is that in offline mode, the password policy may not be
available (the lockout policy is not affected by this, though,
it is retrieved by the domain child periodcally). But 
when the password is being changed (winbindd_dual_pam_chauthtok),
the password policy is also retrieved, without the flags
check. And failure is not critical there. 

If we agree on it, we can allow for retrieval of pwd policy
from our own domain in auth. but this is not the way windows
seems to do it for all I know. 
Btw: Expiry info is also transmitted in the info3 data. But
I have to find out whether this is recalculated for each auth
request by the dc or stored with the last pwd change. 

Cheers - Michael

Michael Adam <ma at>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
Url :

More information about the samba-technical mailing list