8563 – Observe per user password can change time

Bug 8563 - Observe per user password can change time

Summary: Observe per user password can change time

Status:	NEW

Alias:	None

Product:	Samba 3.6
Classification:	Unclassified
Component:	User & Group Accounts (show other bugs)
Version:	3.6.1
Hardware:	All All

Importance:	P5 normal
Target Milestone:	---
Assignee:	Samba Bugzilla Account
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-11-02 13:29 UTC by Roel van Meer
Modified:	2011-11-02 16:50 UTC (History)
CC List:	0 users

See Also:

Attachments
Patch for 3.5.11 and 3.6.1 (688 bytes, patch) 2011-11-02 16:50 UTC, Roel van Meer	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Roel van Meer 2011-11-02 13:29:50 UTC

While debugging bug 8561 I came across the fact that the value of the sambaPwdCanChange attribute is not honoured.

The function pdb_get_pass_can_change_time() in pdb_get_set.c returns the
time after which the password can be changed. It has the following logic:

a) If sambaPwdLastSet is 0, then the password cannot not be changed, so
return 0.
b) If sambaPwdCanChange is 2147483647 and we have a sambaPwdLastSet
value, return sambaPwdLastSet.
c) Return the time the password was last changed plus the minimum password
age.

For the sambaPwdCanChange attribute that means that if the value is
2147483647, the password may be changed *after* the time the password was
last changed, but other values are ignored.

The attached patch extends the logic with the following:

If a user has a specific sambaPwdCanChange value, and this is later than the value as calculated by the policy, use it.

This allows us to prevent a user from setting his password until a certain time in the future, regardless of the minimum password age.

Comment 1 Roel van Meer 2011-11-02 16:50:23 UTC

Created attachment 7053 [details]
Patch for 3.5.11 and 3.6.1