Bug 184 - Account policy defaults == 21 day password expiry
Account policy defaults == 21 day password expiry
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
3.0.0preX
Other other
: P2 critical
: none
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-06-22 01:00 UTC by Andrew Bartlett
Modified: 2005-08-24 10:28 UTC (History)
1 user (show)

See Also:


Attachments
Change account policy for maximum password age (1.40 KB, patch)
2003-07-07 18:44 UTC, Tim Potter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2003-06-22 01:00:36 UTC
Our account policy settings are a bit insane, and inconsistant.

This means that people who migrate to LDAP from NT or from smbpasswd get a nasty
supprise with the changed behaviour.

We should apply the maximum password age to smbpasswd, and set the initial value
to a really long time.  (This would match smbpasswd/samba 2.2 behaviour).

We should try and decode this information from the samsync.
Comment 1 John H Terpstra 2003-06-22 01:54:37 UTC
I agree fully that we MUST not set a 21 day password age limit on new or
migrated accounts. This is biting some already.

We should set the account to not expire by default. The administrator should
change this at will, and not be forced to.
Comment 2 Tim Potter 2003-07-07 18:44:22 UTC
Created attachment 45 [details]
Change account policy for maximum password age

The fix for this seems oddly small - simply set the maximum password age in the
account policy to zero.  Unfortunately I'm unable to test it due to the
brokenness of the samba-3.0 tree at the moment!  )-:
Comment 3 Tim Potter 2003-07-07 18:45:05 UTC
BTW, I agree with jht on this one.  A default 20-day expiry policy is incredibly
annoying.
Comment 4 Gerald (Jerry) Carter 2003-07-24 20:15:40 UTC
the account policy stuff needs to be fully implemented or 
completely disabled.  For now, i'm committing Tim's patch.
Comment 5 Gerald (Jerry) Carter 2003-07-25 12:56:57 UTC
actually, you have to set the max password age to -1.
Tested and works with LDAP backend.
Comment 6 Gerald (Jerry) Carter 2005-02-07 08:39:24 UTC
originally reported against 3.0.0beta1.  CLeaning out 
non-production release versions.
Comment 7 Gerald (Jerry) Carter 2005-08-24 10:28:18 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.