Bug 12483 - for domain passwordsettings, useless to set "the max-pwd-age set to 1 "
Summary: for domain passwordsettings, useless to set "the max-pwd-age set to 1 "
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.5.1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-23 15:58 UTC by Evan Wong
Modified: 2019-07-01 15:08 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Evan Wong 2016-12-23 15:58:06 UTC
for samba4.5.1,
I use samba as an AD DC, and i  set samba-tool domain passwordsettings set max-pwd-age =1, but i found it didn't make the account passowrd expire 1 days later.
When I use ldapsearch to query the msDS-userPasswordExpiryTimeComputed,  the value is equal, when i set  max-pwd-age =1 or 0. so, it's a bug ?
And then, I try to  view the source code, in file source4/dsdb/samdb/ldb_modules/operational.c, I found this
/*
     * Note that maxPwdAge is a stored as negative value.
     *
     * Possible values are in the range of:
     *
     * maxPwdAge: -864000000001
     * to
     * maxPwdAge: -9223372036854775808 (-0x8000000000000000ULL)
     *
     */
    maxPwdAge = samdb_search_int64(ldb_module_get_ctx(module), msg, 0,
                       domain_dn, "maxPwdAge", NULL);
    if (maxPwdAge >= -864000000000) {
        /*
         * This is not really possible...
         */
        return 0x7FFFFFFFFFFFFFFFULL;
    }

when maxPwdAge=1, the ticks  is -864000000000,  so I think this is the problem
Comment 1 Stefan Metzmacher 2019-07-01 15:08:27 UTC
(In reply to Evan Wong from comment #0)

The logic in python/samba/netcmd/domain.py is this:

        if max_pwd_age is not None:
            if max_pwd_age == "default":
                max_pwd_age = 43
            else:
                max_pwd_age = int(max_pwd_age)

            if max_pwd_age < 0 or max_pwd_age > 999:
                raise CommandError("Maximum password age must be in the range of 0 to 999!")

            # days -> ticks
            if max_pwd_age == 0:
                max_pwd_age_ticks = NEVER_TIMESTAMP
            else:
                max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))

            m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
                                                ldb.FLAG_MOD_REPLACE, "maxPwdAge")
            msgs.append("Maximum password age changed!")

The maxPwdAge value in the database is not what you specific in the
samba-tool domain passwordsettings command line.