[PATCH] Patch to implement AD password lockout in Samba's AD DC
Andrew Bartlett
abartlet at samba.org
Mon Feb 24 19:16:39 MST 2014
On Tue, 2014-02-25 at 09:34 +1300, Andrew Bartlett wrote:
> On Thu, 2014-02-20 at 10:16 +1300, Andrew Bartlett wrote:
> > On Wed, 2014-02-19 at 22:08 +0100, Stefan (metze) Metzmacher wrote:
> > > Hi Andrew,
> > >
> > > >> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s4-bwdPwdCount-01
> > > >
> > > > I've updated the branch at
> > > >
> > > > git://git.samba.org/abartlet/samba.git s4-badPwdCount-02
> > > >
> > > > http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s4-bwdPwdCount-02
> > > >
> > > > I have also uploaded these to gerrit at
> > > > https://gerrit.sernet.de/#/q/status:open+project:samba+branch:master
> > > > +topic:abartlet/s4-badPwdCount-02,n,z
> > > >
> > > > With the tests now finished, these changes are now ready for master.
> > > >
> > > > I will separately co-ordinate with the Heimdal team and work out how we
> > > > can detect the correct Heimdal version, and look at updating our
> > > > internal Heimdal. (The reality is that only Debian builds against a
> > > > system Heimdal, and we already have another special patch to cope with
> > > > using a modern heimdal).
> > > >
> > > > Please review/push.
> > >
> > > I'll have a look at them in detail tomorrow, but my first impression is that
> > > you should use more helper variables, avoid deep indentation levels (try
> > > to use early returns and avoid } else { if the if section calls return)
> > > and avoid functions calls in the variable declaration section.
> >
> > I would appreciate that in detail, as it is a large patch set and so
> > hard to guess exactly what chunks you feel can be improved.
> >
> > The password_hash change was particularly challenging to do in good
> > style, and practical suggestions for how to improve it would be most
> > welcome.
> >
> > > Were is the password grace period documented in the microsoft docs?
> >
> > http://support.microsoft.com/kb/906305
>
> Just a quick note to say I've seen the (very detailed and specific!)
> reviews in gerrit, but just haven't had a chance to make the required
> changes or to otherwise comment.
I've addressed most (but certainly not all) of the comments. In short,
I disagree with sending an error when the badPwdCount is updated or not,
but I've addressed most of the extra, other than adding more tests.
Attached is the diff between the old and new patch series.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: abartlet-s4-badPwdCount-changes.patch
Type: text/x-patch
Size: 22757 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140225/fce22d99/attachment.bin>
More information about the samba-technical
mailing list