patch for account policy, min password age, on samba30a22
Andrew Bartlett
abartlet at samba.org
Thu Mar 20 12:23:17 GMT 2003
On Thu, 2003-03-20 at 23:08, Jianliang Lu wrote:
> Hi,
> I'm working to complete the account policy that today worked only for min
> password len. The first patch is for tne min passwod age, than others...
> Now pdbedit is also patched to set/display the min/max password in number of
> days, not seconds.
> in attach is the patch.
I'm glad to see people are using this stuff! Comments below.
> Jianliang Lu
> TieSse s.p.a.
> j.lu at tiesse.com
> luj at libero.it
> ----
>
> --- samba-3.0alpha22/source/smbd/chgpasswd.c Thu Mar 20 12:29:04 2003
> +++ samba-3.0alpha22/source/smbd/chgpasswd.c.fix Thu Mar 20 12:34:42 2003
> @@ -944,6 +944,8 @@
> {
> BOOL ret;
> uint32 min_len;
> + uint32 min_age;
> + time_t pwdLastSet;
>
> if (time(NULL) < pdb_get_pass_can_change_time(hnd)) {
> DEBUG(1, ("user %s cannot change password now, must wait until %s\n",
> @@ -969,6 +971,15 @@
> /* return NT_STATUS_PWD_TOO_SHORT; */
> }
>
> + pwdLastSet = pdb_get_pass_last_set_time (hnd);
> + if (account_policy_get(AP_MIN_PASSWORD_AGE, &min_age) && ((time(NULL) - pwdLastSet) < min_age)) {
> + DEBUG(1, ("user %s cannot change password - password min age restriction \n",
> + pdb_get_username(hnd)));
> + DEBUGADD(1, (" account policy min password age = %d\n", min_age));
> + return NT_STATUS_PASSWORD_RESTRICTION;
> + }
This is a duplicate. We set this (as NT does, as far as I know) when
the password is set/changed, to the value currently in the policy. We
don't (and NT doesn't - as far as I know) check both the value and the
policy.
> /* TODO: Add cracklib support here */
>
> /*
> ----
>
> --- samba-3.0alpha22/source/utils/pdbedit.c Thu Mar 20 12:28:13 2003
> +++ samba-3.0alpha22/source/utils/pdbedit.c.fix Thu Mar 20 12:42:50 2003
> @@ -586,13 +586,21 @@
> fprintf(stderr, "valid account policy, but unable to fetch value!\n");
> exit(1);
> }
> +
> + if ((field == AP_MIN_PASSWORD_AGE) || (field == AP_MAX_PASSWORD_AGE)) {
> + value = (value) / 86400;
> + }
> +
> if (account_policy_value_set) {
> + if ((field == AP_MIN_PASSWORD_AGE) || (field == AP_MAX_PASSWORD_AGE)) {
> + account_policy_value = (account_policy_value) * 86400;
> + }
> printf("account policy value for %s was %u\n", account_policy, value);
> if (!account_policy_set(field, account_policy_value)) {
> fprintf(stderr, "valid account policy, but unable to set value!\n");
> exit(1);
> }
> - printf("account policy value for %s is now %lu\n", account_policy, account_policy_value);
> + printf("account policy value for %s is now %lu\n", account_policy, ((field == AP_MIN_PASSWORD_AGE) || (field == AP_MAX_PASSWORD_AGE)) ? account_policy_value/86400:account_policy_value);
> exit(0);
> } else {
> printf("account policy value for %s is %u\n", account_policy, value);
Well, it's relatively common (and perhaps more useful) to have
per-second resolution, because setting '20 mins' is quite useful for
'min passwd age'. (makes it hard to change/change back, without locking
people to their password for days).
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030320/205e9bf2/attachment.bin
More information about the samba-technical
mailing list