pam_winbind.c, lines 470-476 read: /* warn a user if the password is about to expire soon */ if ( ! (response.data.auth.info3.acct_flags & ACB_PWNOEXP) && (response.data.auth.policy.expire) && (response.data.auth.info3.pass_last_set_time + response.data.auth.policy.expire > time(NULL) ) ) { int days = response.data.auth.policy.expire / SECONDS_PER_DAY; if (days <= DAYS_TO_WARN_BEFORE_PWD_EXPIRES) { ... If "the time the password was last set" plus "the password lifetime policy" is greater than the current time, then we test if "the password lifetime policy" in days is less than DAYS_TO_WARN_BEFORE_PWD_EXPIRES. Probably not what was intended - this prints the policy on password lifetimes. By changing 'DAYS_TO_WARN_BEFORE_PWD_EXPIRES' to 100, I discovered that our policy on password lifetimes is 84 days, but not how long until a password expires. The calculation of 'days' should be: int days = (response.data.auth.info3.pass_last_set_time + response.data.auth.policy.expire - time(NULL) ) / SECONDS_PER_DAY; then users are warned when their passwords are about to expire.
Created attachment 2237 [details] Patch to pam_winbind.c Fixes password expiry warning
Thanks, nice catch. Checked into 3.0 and 3.0.24, r20136.