[PATCH] Patch to implement AD password lockout in Samba's AD DC

Stefan (metze) Metzmacher metze at samba.org
Tue Mar 4 04:40:48 MST 2014

Am 04.03.2014 02:09, schrieb Andrew Bartlett:
> On Mon, 2014-03-03 at 16:26 +1300, Andrew Bartlett wrote:
>> On Tue, 2014-02-25 at 15:16 +1300, Andrew Bartlett wrote:
>>> On Tue, 2014-02-25 at 09:34 +1300, Andrew Bartlett wrote:
>>>> On Thu, 2014-02-20 at 10:16 +1300, Andrew Bartlett wrote:
>>>>> On Wed, 2014-02-19 at 22:08 +0100, Stefan (metze) Metzmacher wrote:
>>>>>> Hi Andrew,
>>>>>>>> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s4-bwdPwdCount-01
>>>>>>> I've updated the branch at 
>>>>>>> git://git.samba.org/abartlet/samba.git s4-badPwdCount-02
>>>>>>> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s4-bwdPwdCount-02
>>>>>>> I have also uploaded these to gerrit at
>>>>>>> https://gerrit.sernet.de/#/q/status:open+project:samba+branch:master
>>>>>>> +topic:abartlet/s4-badPwdCount-02,n,z
>>>>>>> With the tests now finished, these changes are now ready for master.
>>>>>>> I will separately co-ordinate with the Heimdal team and work out how we
>>>>>>> can detect the correct Heimdal version, and look at updating our
>>>>>>> internal Heimdal.  (The reality is that only Debian builds against a
>>>>>>> system Heimdal, and we already have another special patch to cope with
>>>>>>> using a modern heimdal). 
>>>>>>> Please review/push.
>>>>>> I'll have a look at them in detail tomorrow, but my first impression is that
>>>>>> you should use more helper variables, avoid deep indentation levels (try
>>>>>> to use early returns and avoid } else { if the if section calls return)
>>>>>> and avoid functions calls in the variable declaration section.
>>>>> I would appreciate that in detail, as it is a large patch set and so
>>>>> hard to guess exactly what chunks you feel can be improved.
>>>>> The password_hash change was particularly challenging to do in good
>>>>> style, and practical suggestions for how to improve it would be most
>>>>> welcome. 
>>>>>> Were is the password grace period documented in the microsoft docs?
>>>>> http://support.microsoft.com/kb/906305
>>>> Just a quick note to say I've seen the (very detailed and specific!)
>>>> reviews in gerrit, but just haven't had a chance to make the required
>>>> changes or to otherwise comment.
>>> I've addressed most (but certainly not all) of the comments.  In short,
>>> I disagree with sending an error when the badPwdCount is updated or not,
>>> but I've addressed most of the extra, other than adding more tests.
>>> Attached is the diff between the old and new patch series. 
>> Any chance we can get at least some of these in to master soon?  I know
>> the re-re-re-view process in gerrit must have been frustrating, is there
>> anything I can do to assist?
>> BTW, the 60 min grace thing is also tested in the samlogon test, which
>> already verifies that it only applies to 'network' and not 'interactive'
>> SamLogon calls.
> I have addressed as much of the issues raised as I'm able to at the
> moment, and I think it is time to get this series into master.
> Can I please have the series in my s4-badPwdCount-02 branch (and in
> gerrit) reviewed and pushed into master please.

I'm looking at it again now and continue tomorrow.


More information about the samba-technical mailing list