On a Windows NT domain the "max password age" value is calculated at query time
based on the "last password change" time and the current "max password age"
account policy setting. I have verified that changing the "max password age"
policy on a Windows NT domain takes affect for all accounts right after the
In a Samba domain the "max password age" value is stored in the passdb and is
calculated at password set time based on the "max password age" policy at that
time. Changing the "max password age" policy does not take effect until all
users change their passwords.
This caused problems for some of our sites because some accounts got an invalid
"max passsword age" setting during the vampire and now passwords on those
accounts never expire. I haven't tracked the bug in the vampire down but it was
a while ago and could alreday be fixed.
Created attachment 1364 [details]
described in bug text
From John (attached after review by Jim per IBM rules)
Here is the patch I'm testing for matching Samba's "password must change"/"max
password age" behavior to NT. I haven't done any testing with the tdb backend
yet but it is working for ldap. I don't think Andrew Bartlett's suggestion on
IRC of just removing the "password must change" attribute in ldap will work to
solve this bug since Samba uses a value of 0 in that attribute to mean "password
must change at next login".
I went ahead and changed this attribute to get set to 1 or 0. 1 means calculate
the password must change time based on the last set time + the policy, 0 means
password must change time is equal to password last set time.
One year plus later. Bug stuck in new state.
How about asking Jim to commit it then Bill ? :-).
The patch I had Jim post was to get comments on changing the meaning of the "password must change" passdb value. I think I posted this question to the mailing list at the time and didn't get any feedback.
please check out the current code (3.0 or 3.0.23 branch) and try it out. I think i got it to match windows.