Bug 184 - Account policy defaults == 21 day password expiry
Summary: Account policy defaults == 21 day password expiry
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.0preX
Hardware: Other other
: P2 critical
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
Depends on:
Reported: 2003-06-22 01:00 UTC by Andrew Bartlett
Modified: 2005-08-24 10:28 UTC (History)
1 user (show)

See Also:

Change account policy for maximum password age (1.40 KB, patch)
2003-07-07 18:44 UTC, Tim Potter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2003-06-22 01:00:36 UTC
Our account policy settings are a bit insane, and inconsistant.

This means that people who migrate to LDAP from NT or from smbpasswd get a nasty
supprise with the changed behaviour.

We should apply the maximum password age to smbpasswd, and set the initial value
to a really long time.  (This would match smbpasswd/samba 2.2 behaviour).

We should try and decode this information from the samsync.
Comment 1 John H Terpstra (mail address dead( 2003-06-22 01:54:37 UTC
I agree fully that we MUST not set a 21 day password age limit on new or
migrated accounts. This is biting some already.

We should set the account to not expire by default. The administrator should
change this at will, and not be forced to.
Comment 2 Tim Potter 2003-07-07 18:44:22 UTC
Created attachment 45 [details]
Change account policy for maximum password age

The fix for this seems oddly small - simply set the maximum password age in the
account policy to zero.  Unfortunately I'm unable to test it due to the
brokenness of the samba-3.0 tree at the moment!  )-:
Comment 3 Tim Potter 2003-07-07 18:45:05 UTC
BTW, I agree with jht on this one.  A default 20-day expiry policy is incredibly
Comment 4 Gerald (Jerry) Carter (dead mail address) 2003-07-24 20:15:40 UTC
the account policy stuff needs to be fully implemented or 
completely disabled.  For now, i'm committing Tim's patch.
Comment 5 Gerald (Jerry) Carter (dead mail address) 2003-07-25 12:56:57 UTC
actually, you have to set the max password age to -1.
Tested and works with LDAP backend.
Comment 6 Gerald (Jerry) Carter (dead mail address) 2005-02-07 08:39:24 UTC
originally reported against 3.0.0beta1.  CLeaning out 
non-production release versions.
Comment 7 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:28:18 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.