Bug 12483 - for domain passwordsettings, useless to set "the max-pwd-age set to 1 "
for domain passwordsettings, useless to set "the max-pwd-age set to 1 "
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.5.1
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-23 15:58 UTC by Evan Wong
Modified: 2016-12-27 09:25 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Evan Wong 2016-12-23 15:58:06 UTC
for samba4.5.1,
I use samba as an AD DC, and i  set samba-tool domain passwordsettings set max-pwd-age =1, but i found it didn't make the account passowrd expire 1 days later.
When I use ldapsearch to query the msDS-userPasswordExpiryTimeComputed,  the value is equal, when i set  max-pwd-age =1 or 0. so, it's a bug ?
And then, I try to  view the source code, in file source4/dsdb/samdb/ldb_modules/operational.c, I found this
/*
     * Note that maxPwdAge is a stored as negative value.
     *
     * Possible values are in the range of:
     *
     * maxPwdAge: -864000000001
     * to
     * maxPwdAge: -9223372036854775808 (-0x8000000000000000ULL)
     *
     */
    maxPwdAge = samdb_search_int64(ldb_module_get_ctx(module), msg, 0,
                       domain_dn, "maxPwdAge", NULL);
    if (maxPwdAge >= -864000000000) {
        /*
         * This is not really possible...
         */
        return 0x7FFFFFFFFFFFFFFFULL;
    }

when maxPwdAge=1, the ticks  is -864000000000,  so I think this is the problem