[S4] PW Settings being ignored?
Brian C. Huffman
bhuffman at etinternational.com
Fri Nov 26 10:05:27 MST 2010
On 11/26/2010 11:29 AM, Stefan (metze) Metzmacher wrote:
> Am 26.11.2010 17:24, schrieb Brian C. Huffman:
>> So, I added some debugging to the code and it appears that for some
>> reason, even though I've set the history length to 0 in the pwsettings,
>> it's got a length of "4" from somewhere:
>>
>> /* checks the NT hash password history */
>> for (i = 0; i< io->o.nt_history_len; i++) {
>> ret = memcmp(io->n.nt_hash,
>> io->o.nt_history[i].hash, 16);
>> if (ret == 0) {
>> ret = LDB_ERR_CONSTRAINT_VIOLATION;
>> ldb_asprintf_errstring(ldb,
>> "%08X: %s -
>> check_password_restrictions: "
>> - "the password was already used
>> (in history)!",
>> + "the password was already used
>> (in history)! History length: %d",
>>
>> W_ERROR_V(WERR_PASSWORD_RESTRICTION),
>> - ldb_strerror(ret));
>> + ldb_strerror(ret),
>> io->o.nt_history_len);
>> io->ac->status->reject_reason =
>> SAM_PWD_CHANGE_PWD_IN_HISTORY;
>> return ret;
>> }
>> }
>>
>> yields:
>>
>> msg: 0000052D: Constraint violation - check_password_restrictions: the
>> password was already used (in history)! History length: 4
> That's the length of the stored history.
>
> Maybe we should use MIN(io->o.nt_history_len,
> io->ac->status->domain_data.pwdHistoryLength),
> but that needs testing...
>
> metze
>
I guess it depends what an AD server does. Is the policy change
retroactive immediately or do you need to change the password before the
history length is changed?
I don't know the answer.
-b
More information about the samba-technical
mailing list