for samba4.5.1, I use samba as an AD DC, and i set samba-tool domain passwordsettings set max-pwd-age =1, but i found it didn't make the account passowrd expire 1 days later. When I use ldapsearch to query the msDS-userPasswordExpiryTimeComputed, the value is equal, when i set max-pwd-age =1 or 0. so, it's a bug ? And then, I try to view the source code, in file source4/dsdb/samdb/ldb_modules/operational.c, I found this /* * Note that maxPwdAge is a stored as negative value. * * Possible values are in the range of: * * maxPwdAge: -864000000001 * to * maxPwdAge: -9223372036854775808 (-0x8000000000000000ULL) * */ maxPwdAge = samdb_search_int64(ldb_module_get_ctx(module), msg, 0, domain_dn, "maxPwdAge", NULL); if (maxPwdAge >= -864000000000) { /* * This is not really possible... */ return 0x7FFFFFFFFFFFFFFFULL; } when maxPwdAge=1, the ticks is -864000000000, so I think this is the problem
(In reply to Evan Wong from comment #0) The logic in python/samba/netcmd/domain.py is this: if max_pwd_age is not None: if max_pwd_age == "default": max_pwd_age = 43 else: max_pwd_age = int(max_pwd_age) if max_pwd_age < 0 or max_pwd_age > 999: raise CommandError("Maximum password age must be in the range of 0 to 999!") # days -> ticks if max_pwd_age == 0: max_pwd_age_ticks = NEVER_TIMESTAMP else: max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7)) m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks), ldb.FLAG_MOD_REPLACE, "maxPwdAge") msgs.append("Maximum password age changed!") The maxPwdAge value in the database is not what you specific in the samba-tool domain passwordsettings command line.