I an confirm the bug, moving from etch to lenny really confuse me, and i think this can be really considered a security bug. [if i reset a password to a shared/simple one i suppose using '-B' that the user will change it, but they are not forced to do so...]
Easy patch, i hope will be integrated soon. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/chi_siamo/5xmille.php (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
--- smbldap-passwd.orig 2010-02-01 15:25:45.000000000 +0100 +++ smbldap-passwd 2010-02-01 15:22:03.000000000 +0100 @@ -222,13 +222,13 @@ } } if ($force_update_samba_passwd == 1) { - # To force a user to change his password: - # . the attribut sambaPwdLastSet must be != 0 + # To force a user to change his password (in samba >= 3.2): + # . the attribut sambaPwdLastSet must be == 0 # . the attribut sambaAcctFlags must not match the 'X' flag my $winmagic = 2147483647; my $valacctflags = "[U]"; push(@mods, 'sambaPwdMustChange' => 0); - push(@mods, 'sambaPwdLastSet' => $winmagic); + push(@mods, 'sambaPwdLastSet' => 0); push(@mods, 'sambaAcctFlags' => $valacctflags); } # Let's change nt/lm passwords
--- smbldap-useradd.orig 2010-02-01 15:16:40.000000000 +0100 +++ smbldap-useradd 2010-02-01 15:22:16.000000000 +0100 @@ -429,10 +429,10 @@ if (defined($tmp = $Options{'B'})) { if ($tmp != 0) { $valpwdmustchange = "0"; - # To force a user to change his password: - # . the attribut sambaPwdLastSet must be != 0 + # To force a user to change his password (in samba >= 3.2): + # . the attribut sambaPwdLastSet must be == 0 # . the attribut sambaAcctFlags must not match the 'X' flag - $valpwdlastset=$winmagic; + $valpwdlastset= 0; $valacctflags = "[U]"; } else { $valpwdmustchange = "$winmagic";
--- smbldap-usermod.orig 2010-02-01 15:01:02.000000000 +0100 +++ smbldap-usermod 2010-02-01 15:08:28.000000000 +0100 @@ -494,8 +494,8 @@ if ($samba == 1) { if ($tmp != 0) { $_sambaPwdMustChange=0; - # To force a user to change his password: - # . the attribut sambaPwdLastSet must be != 0 + # To force a user to change his password (in samba >= 3.2): + # . the attribut sambaPwdLastSet must be == 0 # . the attribut sambaAcctFlags must not match the 'X' flag my $_sambaAcctFlags; my $flags = $user_entry->get_value('sambaAcctFlags'); @@ -509,8 +509,8 @@ push(@mods, 'sambaAcctFlags' => $_sambaAcctFlags); } my $_sambaPwdLastSet = $user_entry->get_value('sambaPwdLastSet'); - if ($_sambaPwdLastSet == 0) { - push(@mods, 'sambaPwdLastSet' => $winmagic); + if ($_sambaPwdLastSet != 0) { + push(@mods, 'sambaPwdLastSet' => 0); } } else { $_sambaPwdMustChange=$winmagic;