Bug 3969 - 3.0.23a all AD accounts password expired
3.0.23a all AD accounts password expired
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.23a
x86 Solaris
: P2 normal
: 3.0.23
Assigned To: Guenther Deschner
Samba QA Contact
:
: 3975 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-27 10:41 UTC by db38
Modified: 2011-03-20 22:06 UTC (History)
3 users (show)

See Also:


Attachments
pam_winbind expiry hotfix (739 bytes, patch)
2006-08-08 09:53 UTC, Guenther Deschner
no flags Details
Fix bad time comparison (5.85 KB, patch)
2006-08-22 17:49 UTC, Gerald (Jerry) Carter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description db38 2006-07-27 10:41:17 UTC
Since installing 3.0.23a all AD accounts are expired when using winbind on solaris 10.
Comment 1 Peter Trifonov 2006-08-02 10:23:49 UTC
The same behaviour is observed on FreeBSD x86
Comment 2 Gerald (Jerry) Carter 2006-08-04 12:05:05 UTC
Guenther, please take a look at this.  Thanks,
Comment 3 Gerald (Jerry) Carter 2006-08-04 12:21:07 UTC
*** Bug 3975 has been marked as a duplicate of this bug. ***
Comment 4 db38 2006-08-04 12:26:57 UTC
(In reply to comment #3)
> *** Bug 3975 has been marked as a duplicate of this bug. ***
> 
In our Win2k3 AD environment password expire is not used.
Comment 5 Shannon Johnson 2006-08-04 13:56:01 UTC
We found that a good work-around was to set a password expiration of 365 days (any will work, as long as it's greater than 0). 

We concluded that Samba interprets the "Never expire" group policy as already expired. Apparently the group policy for "Never expire" actually sets it to expire in 0 days, which Samba reads as "expire immediately". 
Comment 6 Guenther Deschner 2006-08-08 09:53:20 UTC
Created attachment 2088 [details]
pam_winbind expiry hotfix

This is not the final fix but should work for now.
Comment 7 Peter Trifonov 2006-08-08 12:23:18 UTC
Now pam_winbind permits login even if the user types wrong password, i.e. anyone can login to the system without knowing the correct password.
However, "password expired" message has gone.

Comment 8 Gerald (Jerry) Carter 2006-08-22 17:49:22 UTC
Created attachment 2100 [details]
Fix bad time comparison

Fix the unsigned time_t values
Comment 9 Gerald (Jerry) Carter 2006-08-22 17:49:44 UTC
Fixing for 3.0.23c