Bug 2958 - "max password age" policy behavior does not match NT
Summary: "max password age" policy behavior does not match NT
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.14a
Hardware: All Linux
: P2 normal
Target Milestone: none
Assignee: Jim McDonough
QA Contact: Samba QA Contact
Depends on:
Reported: 2005-08-05 10:29 UTC by John Janosik
Modified: 2006-09-20 14:34 UTC (History)
1 user (show)

See Also:

described in bug text (18.80 KB, patch)
2005-08-10 13:08 UTC, Jim McDonough
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John Janosik 2005-08-05 10:29:33 UTC
On a Windows NT domain the "max password age" value is calculated at query time
based on the "last password change" time and the current "max password age"
account policy setting.  I have verified that changing the "max password age"
policy on a Windows NT domain takes affect for all accounts right after the
policy change.

In a Samba domain the "max password age" value is stored in the passdb and is
calculated at password set time based on the "max password age" policy at that
time.  Changing the "max password age" policy does not take effect until all
users change their passwords.

This caused problems for some of our sites because some accounts got an invalid
"max passsword age" setting during the vampire and now passwords on those
accounts never expire.  I haven't tracked the bug in the vampire down but it was
a while ago and could alreday be fixed.
Comment 1 Jim McDonough 2005-08-10 13:08:49 UTC
Created attachment 1364 [details]
described in bug text
Comment 2 Jim McDonough 2005-08-10 13:10:31 UTC
From John (attached after review by Jim per IBM rules)

Here is the patch I'm testing for matching Samba's "password must change"/"max
password age" behavior to NT.  I haven't done any testing with the tdb backend
yet but it is working for ldap.  I don't think Andrew Bartlett's suggestion on
IRC of just removing the "password must change" attribute in ldap will work to
solve this bug since Samba uses a value of 0 in that attribute to mean "password
must change at next login". 

I went ahead and changed this attribute to get set to 1 or 0.  1 means calculate
the password must change time based on the last set time + the policy, 0 means
password must change time is equal to password last set time.
Comment 3 Bill Marshall 2006-09-15 14:04:12 UTC
One year plus later. Bug stuck in new state.
Comment 4 Jeremy Allison 2006-09-17 13:42:55 UTC
How about asking Jim to commit it then Bill ? :-).
Comment 5 John Janosik 2006-09-18 09:22:16 UTC
The patch I had Jim post was to get comments on changing the meaning of the "password must change" passdb value.  I think I posted this question to the mailing list at the time and didn't get any feedback.
Comment 6 Jim McDonough 2006-09-20 14:34:50 UTC
please check out the current code (3.0 or 3.0.23 branch) and try it out.  I think i got it to match windows.