Bug 4290 - pam_winbind: password expiry time shown incorrectly
Summary: pam_winbind: password expiry time shown incorrectly
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.23d
Hardware: All All
: P3 normal
Target Milestone: none
Assignee: Jim McDonough
QA Contact: Samba QA Contact
Depends on:
Reported: 2006-12-08 08:53 UTC by Andrew Benham
Modified: 2006-12-12 16:05 UTC (History)
0 users

See Also:

Patch to pam_winbind.c (856 bytes, patch)
2006-12-08 08:54 UTC, Andrew Benham
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Benham 2006-12-08 08:53:27 UTC
pam_winbind.c, lines 470-476 read:

/* warn a user if the password is about to expire soon */
if ( ! (response.data.auth.info3.acct_flags & ACB_PWNOEXP) &&
    (response.data.auth.policy.expire) && 
    (response.data.auth.info3.pass_last_set_time +
     response.data.auth.policy.expire > time(NULL) ) ) {

		int days = response.data.auth.policy.expire / SECONDS_PER_DAY;

If "the time the password was last set"  plus  "the password lifetime policy"
is greater than the current time, then we test if "the password
lifetime policy" in days is less than DAYS_TO_WARN_BEFORE_PWD_EXPIRES.

Probably not what was intended - this prints the policy on password lifetimes.

By changing 'DAYS_TO_WARN_BEFORE_PWD_EXPIRES' to 100, I discovered that
our policy on password lifetimes is 84 days, but not how long until a password

The calculation of 'days' should be:

int days = (response.data.auth.info3.pass_last_set_time 
            + response.data.auth.policy.expire
            - time(NULL) ) / SECONDS_PER_DAY;

then users are warned when their passwords are about to expire.
Comment 1 Andrew Benham 2006-12-08 08:54:33 UTC
Created attachment 2237 [details]
Patch to pam_winbind.c

Fixes password expiry warning
Comment 2 Jim McDonough 2006-12-12 16:05:59 UTC
Thanks, nice catch.  Checked into 3.0 and 3.0.24, r20136.