Our account policy settings are a bit insane, and inconsistant. This means that people who migrate to LDAP from NT or from smbpasswd get a nasty supprise with the changed behaviour. We should apply the maximum password age to smbpasswd, and set the initial value to a really long time. (This would match smbpasswd/samba 2.2 behaviour). We should try and decode this information from the samsync.
I agree fully that we MUST not set a 21 day password age limit on new or migrated accounts. This is biting some already. We should set the account to not expire by default. The administrator should change this at will, and not be forced to.
Created attachment 45 [details] Change account policy for maximum password age The fix for this seems oddly small - simply set the maximum password age in the account policy to zero. Unfortunately I'm unable to test it due to the brokenness of the samba-3.0 tree at the moment! )-:
BTW, I agree with jht on this one. A default 20-day expiry policy is incredibly annoying.
the account policy stuff needs to be fully implemented or completely disabled. For now, i'm committing Tim's patch.
actually, you have to set the max password age to -1. Tested and works with LDAP backend.
originally reported against 3.0.0beta1. CLeaning out non-production release versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.