Bug 10512 - "maxPwdAge" attribute can be set to arbitrary values
Summary: "maxPwdAge" attribute can be set to arbitrary values
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2014-03-21 12:25 UTC by Björn Baumbach
Modified: 2020-10-23 02:37 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Björn Baumbach 2014-03-21 12:25:13 UTC
The "maxPwdAge" attribute can be set to arbitrary values, but the possible values should be in the range of:

maxPwdAge: -864000000001
maxPwdAge: -9223372036854775808 (-0x8000000000000000ULL)
Comment 1 Andreas Schneider 2014-10-28 10:35:53 UTC
Björn, could you please provide more details how you set this value? How can this be reproduced?
Comment 2 Douglas Bagnall 2020-10-22 04:30:49 UTC
Since around commit 1d266b493894ad55c6c30e73a4cf9bc6aa28f559 we seem to ignore values that are out of this range, at least in some places.

In 'samba-tool domain passwordsettings set' we do checks at the python level, but if you hack a little bit of python, you can set the value there to any int64. Values >0 are returned back to 'samba-tool domain passwordsettings show' as if they were negated (e.g. 99999 is the same as -99999).

As for the specified range, [MS-SAMR] says "maxPwdAge MUST be less than or equal to 0". I don't see much else. I'm guessing the multiples of 1 day thing is an observed limit.
Comment 3 Douglas Bagnall 2020-10-23 02:37:05 UTC
(In reply to Douglas Bagnall from comment #2)
> you can set the value there to any int64

I should add, only admin users can do this, so we're not talking nasty tricks here, just foot-shooting potential. 

Samba-tool has safety catches for the simplest foot-shooting, but it does have more subtle problems. Invalid values (e.g. maxPwdAge = -1 == 100ns) are treated as never expiring in source4/dsdb/samdb/ldb_modules/operational.c. While never expiring is probably not what you meant by a 100ns timeout, it is at least handled. But it IS a problem that 'samba-tool domain passwordsettings show' will incorrectly show invalid values of maxPwdAge as if they were valid. That's because the timestamp_to_mins() function has an abs() in it. 

That is, you can (as admin, perhaps through bad LDIF experiments) set the maxPwdAge to a value that evaluates as eternity but shows as 3 days.