Our account policy settings are a bit insane, and inconsistant.
This means that people who migrate to LDAP from NT or from smbpasswd get a nasty
supprise with the changed behaviour.
We should apply the maximum password age to smbpasswd, and set the initial value
to a really long time. (This would match smbpasswd/samba 2.2 behaviour).
We should try and decode this information from the samsync.
I agree fully that we MUST not set a 21 day password age limit on new or
migrated accounts. This is biting some already.
We should set the account to not expire by default. The administrator should
change this at will, and not be forced to.
Created attachment 45 [details]
Change account policy for maximum password age
The fix for this seems oddly small - simply set the maximum password age in the
account policy to zero. Unfortunately I'm unable to test it due to the
brokenness of the samba-3.0 tree at the moment! )-:
BTW, I agree with jht on this one. A default 20-day expiry policy is incredibly
the account policy stuff needs to be fully implemented or
completely disabled. For now, i'm committing Tim's patch.
actually, you have to set the max password age to -1.
Tested and works with LDAP backend.
originally reported against 3.0.0beta1. CLeaning out
non-production release versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.