> On Thu, 2003-03-20 at 23:08, Jianliang Lu wrote:
> > Hi,
> > I'm working to complete the account policy that today worked only for min
> > password len. The first patch is for tne min passwod age, than others...
> > Now pdbedit is also patched to set/display the min/max password in number
of
> > days, not seconds.
> > in attach is the patch.
>
> I'm glad to see people are using this stuff! Comments below.
>
> > Jianliang Lu
> > TieSse s.p.a.
> > [EMAIL PROTECTED]
> > [EMAIL PROTECTED]
> > ----
> >
>
> > --- samba-3.0alpha22/source/smbd/chgpasswd.c Thu Mar 20 12:29:04
2003
> > +++ samba-3.0alpha22/source/smbd/chgpasswd.c.fix Thu Mar 20 12:34:42
2003
> > @@ -944,6 +944,8 @@
> > {
> > BOOL ret;
> > uint32 min_len;
> > + uint32 min_age;
> > + time_t pwdLastSet;
> >
> > if (time(NULL) < pdb_get_pass_can_change_time(hnd)) {
> > DEBUG(1, ("user %s cannot change password now, must wait
until %s\n",
> > @@ -969,6 +971,15 @@
> > /* return NT_STATUS_PWD_TOO_SHORT; */
> > }
> >
> > + pwdLastSet = pdb_get_pass_last_set_time (hnd);
> > + if (account_policy_get(AP_MIN_PASSWORD_AGE, &min_age) && ((time
(NULL) - pwdLastSet) < min_age)) {
> > + DEBUG(1, ("user %s cannot change password - password min age
restriction \n",
> > + pdb_get_username(hnd)));
> > + DEBUGADD(1, (" account policy min password age = %d\n",
min_age));
> > + return NT_STATUS_PASSWORD_RESTRICTION;
> > + }
>
> This is a duplicate. We set this (as NT does, as far as I know) when
> the password is set/changed, to the value currently in the policy. We
> don't (and NT doesn't - as far as I know) check both the value and the
> policy.
>
What do you mean? I just check the pwdLastSet with the account policy on
password min age when a user want to change his password, and I'm not setting
the value in the policy. What does mean that "set the value in the policy"
when a user want to change his password?
> > /* TODO: Add cracklib support here */
> >
> > /*
> > ----
> >
>
> > --- samba-3.0alpha22/source/utils/pdbedit.c Thu Mar 20 12:28:13 2003
> > +++ samba-3.0alpha22/source/utils/pdbedit.c.fix Thu Mar 20 12:42:50
2003
> > @@ -586,13 +586,21 @@
> > fprintf(stderr, "valid account policy, but unable to
fetch value!\n");
> > exit(1);
> > }
> > +
> > + if ((field == AP_MIN_PASSWORD_AGE) || (field ==
AP_MAX_PASSWORD_AGE)) {
> > + value = (value) / 86400;
> > + }
> > +
> > if (account_policy_value_set) {
> > + if ((field == AP_MIN_PASSWORD_AGE) || (field ==
AP_MAX_PASSWORD_AGE)) {
> > + account_policy_value = (account_policy_value)
* 86400;
> > + }
> > printf("account policy value for %s was %u\n",
account_policy, value);
> > if (!account_policy_set(field, account_policy_value))
{
> > fprintf(stderr, "valid account policy, but
unable to set value!\n");
> > exit(1);
> > }
> > - printf("account policy value for %s is now %lu\n",
account_policy, account_policy_value);
> > + printf("account policy value for %s is now %lu\n",
account_policy, ((field == AP_MIN_PASSWORD_AGE) || (field ==
AP_MAX_PASSWORD_AGE)) ? account_policy_value/86400:account_policy_value);
> > exit(0);
> > } else {
> > printf("account policy value for %s is %u\n",
account_policy, value);
>
> Well, it's relatively common (and perhaps more useful) to have
> per-second resolution, because setting '20 mins' is quite useful for
> 'min passwd age'. (makes it hard to change/change back, without locking
> people to their password for days).
>
To conform the Microsoft (also in Advanced Server for Unix) the min/max
password age are in day's resolution. I think that it has no sense to set it
to some minutes (you can always set to 0 days).
> Andrew Bartlett
>
> --
> Andrew Bartlett [EMAIL PROTECTED]
> Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED]
> Student Network Administrator, Hawker College [EMAIL PROTECTED]
> http://samba.org http://build.samba.org http://hawkerc.net
Jianliang Lu
TieSse s.p.a.
[EMAIL PROTECTED]
[EMAIL PROTECTED]
