Bug 3969 - 3.0.23a all AD accounts password expired
Summary: 3.0.23a all AD accounts password expired
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.23a
Hardware: x86 Solaris
: P2 normal
Target Milestone: 3.0.23
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
: 3975 (view as bug list)
Depends on:
Reported: 2006-07-27 10:41 UTC by db38
Modified: 2011-03-20 22:06 UTC (History)
3 users (show)

See Also:

pam_winbind expiry hotfix (739 bytes, patch)
2006-08-08 09:53 UTC, Guenther Deschner
no flags Details
Fix bad time comparison (5.85 KB, patch)
2006-08-22 17:49 UTC, Gerald (Jerry) Carter (dead mail address)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description db38 2006-07-27 10:41:17 UTC
Since installing 3.0.23a all AD accounts are expired when using winbind on solaris 10.
Comment 1 Peter Trifonov 2006-08-02 10:23:49 UTC
The same behaviour is observed on FreeBSD x86
Comment 2 Gerald (Jerry) Carter (dead mail address) 2006-08-04 12:05:05 UTC
Guenther, please take a look at this.  Thanks,
Comment 3 Gerald (Jerry) Carter (dead mail address) 2006-08-04 12:21:07 UTC
*** Bug 3975 has been marked as a duplicate of this bug. ***
Comment 4 db38 2006-08-04 12:26:57 UTC
(In reply to comment #3)
> *** Bug 3975 has been marked as a duplicate of this bug. ***
In our Win2k3 AD environment password expire is not used.
Comment 5 Shannon Johnson 2006-08-04 13:56:01 UTC
We found that a good work-around was to set a password expiration of 365 days (any will work, as long as it's greater than 0). 

We concluded that Samba interprets the "Never expire" group policy as already expired. Apparently the group policy for "Never expire" actually sets it to expire in 0 days, which Samba reads as "expire immediately". 
Comment 6 Guenther Deschner 2006-08-08 09:53:20 UTC
Created attachment 2088 [details]
pam_winbind expiry hotfix

This is not the final fix but should work for now.
Comment 7 Peter Trifonov 2006-08-08 12:23:18 UTC
Now pam_winbind permits login even if the user types wrong password, i.e. anyone can login to the system without knowing the correct password.
However, "password expired" message has gone.

Comment 8 Gerald (Jerry) Carter (dead mail address) 2006-08-22 17:49:22 UTC
Created attachment 2100 [details]
Fix bad time comparison

Fix the unsigned time_t values
Comment 9 Gerald (Jerry) Carter (dead mail address) 2006-08-22 17:49:44 UTC
Fixing for 3.0.23c