On a Windows NT domain the "max password age" value is calculated at query time based on the "last password change" time and the current "max password age" account policy setting. I have verified that changing the "max password age" policy on a Windows NT domain takes affect for all accounts right after the policy change. In a Samba domain the "max password age" value is stored in the passdb and is calculated at password set time based on the "max password age" policy at that time. Changing the "max password age" policy does not take effect until all users change their passwords. This caused problems for some of our sites because some accounts got an invalid "max passsword age" setting during the vampire and now passwords on those accounts never expire. I haven't tracked the bug in the vampire down but it was a while ago and could alreday be fixed.
Created attachment 1364 [details] described in bug text
From John (attached after review by Jim per IBM rules) Here is the patch I'm testing for matching Samba's "password must change"/"max password age" behavior to NT. I haven't done any testing with the tdb backend yet but it is working for ldap. I don't think Andrew Bartlett's suggestion on IRC of just removing the "password must change" attribute in ldap will work to solve this bug since Samba uses a value of 0 in that attribute to mean "password must change at next login". I went ahead and changed this attribute to get set to 1 or 0. 1 means calculate the password must change time based on the last set time + the policy, 0 means password must change time is equal to password last set time.
One year plus later. Bug stuck in new state.
How about asking Jim to commit it then Bill ? :-). Jeremy.
The patch I had Jim post was to get comments on changing the meaning of the "password must change" passdb value. I think I posted this question to the mailing list at the time and didn't get any feedback.
please check out the current code (3.0 or 3.0.23 branch) and try it out. I think i got it to match windows.