Bug 8563 - Observe per user password can change time
Observe per user password can change time
Status: NEW
Product: Samba 3.6
Classification: Unclassified
Component: User & Group Accounts
3.6.1
All All
: P5 normal
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-11-02 13:29 UTC by Roel van Meer
Modified: 2011-11-02 16:50 UTC (History)
0 users

See Also:


Attachments
Patch for 3.5.11 and 3.6.1 (688 bytes, patch)
2011-11-02 16:50 UTC, Roel van Meer
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Roel van Meer 2011-11-02 13:29:50 UTC
While debugging bug 8561 I came across the fact that the value of the sambaPwdCanChange attribute is not honoured.

The function pdb_get_pass_can_change_time() in pdb_get_set.c returns the
time after which the password can be changed. It has the following logic:

a) If sambaPwdLastSet is 0, then the password cannot not be changed, so
return 0.
b) If sambaPwdCanChange is 2147483647 and we have a sambaPwdLastSet
value, return sambaPwdLastSet.
c) Return the time the password was last changed plus the minimum password
age.

For the sambaPwdCanChange attribute that means that if the value is
2147483647, the password may be changed *after* the time the password was
last changed, but other values are ignored.

The attached patch extends the logic with the following:

If a user has a specific sambaPwdCanChange value, and this is later than the value as calculated by the policy, use it.

This allows us to prevent a user from setting his password until a certain time in the future, regardless of the minimum password age.
Comment 1 Roel van Meer 2011-11-02 16:50:23 UTC
Created attachment 7053 [details]
Patch for 3.5.11 and 3.6.1