I an confirm the bug, moving from etch to lenny really confuse me, and
i think this can be really considered a security bug.
[if i reset a password to a shared/simple one i suppose using '-B' that the
user will change it, but they are not forced to do so...]
Easy patch, i hope will be integrated soon.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
--- smbldap-passwd.orig 2010-02-01 15:25:45.000000000 +0100
+++ smbldap-passwd 2010-02-01 15:22:03.000000000 +0100
@@ -222,13 +222,13 @@
}
}
if ($force_update_samba_passwd == 1) {
- # To force a user to change his password:
- # . the attribut sambaPwdLastSet must be != 0
+ # To force a user to change his password (in samba >= 3.2):
+ # . the attribut sambaPwdLastSet must be == 0
# . the attribut sambaAcctFlags must not match the 'X' flag
my $winmagic = 2147483647;
my $valacctflags = "[U]";
push(@mods, 'sambaPwdMustChange' => 0);
- push(@mods, 'sambaPwdLastSet' => $winmagic);
+ push(@mods, 'sambaPwdLastSet' => 0);
push(@mods, 'sambaAcctFlags' => $valacctflags);
}
# Let's change nt/lm passwords
--- smbldap-useradd.orig 2010-02-01 15:16:40.000000000 +0100
+++ smbldap-useradd 2010-02-01 15:22:16.000000000 +0100
@@ -429,10 +429,10 @@
if (defined($tmp = $Options{'B'})) {
if ($tmp != 0) {
$valpwdmustchange = "0";
- # To force a user to change his password:
- # . the attribut sambaPwdLastSet must be != 0
+ # To force a user to change his password (in samba >= 3.2):
+ # . the attribut sambaPwdLastSet must be == 0
# . the attribut sambaAcctFlags must not match the 'X' flag
- $valpwdlastset=$winmagic;
+ $valpwdlastset= 0;
$valacctflags = "[U]";
} else {
$valpwdmustchange = "$winmagic";
--- smbldap-usermod.orig 2010-02-01 15:01:02.000000000 +0100
+++ smbldap-usermod 2010-02-01 15:08:28.000000000 +0100
@@ -494,8 +494,8 @@
if ($samba == 1) {
if ($tmp != 0) {
$_sambaPwdMustChange=0;
- # To force a user to change his password:
- # . the attribut sambaPwdLastSet must be != 0
+ # To force a user to change his password (in samba >= 3.2):
+ # . the attribut sambaPwdLastSet must be == 0
# . the attribut sambaAcctFlags must not match the 'X' flag
my $_sambaAcctFlags;
my $flags = $user_entry->get_value('sambaAcctFlags');
@@ -509,8 +509,8 @@
push(@mods, 'sambaAcctFlags' => $_sambaAcctFlags);
}
my $_sambaPwdLastSet = $user_entry->get_value('sambaPwdLastSet');
- if ($_sambaPwdLastSet == 0) {
- push(@mods, 'sambaPwdLastSet' => $winmagic);
+ if ($_sambaPwdLastSet != 0) {
+ push(@mods, 'sambaPwdLastSet' => 0);
}
} else {
$_sambaPwdMustChange=$winmagic;
