[prev in list] [next in list] [prev in thread] [next in thread]
List: samba-technical
Subject: Re: [S4] PW Settings being ignored?
From: "Brian C. Huffman" <bhuffman () etinternational ! com>
Date: 2010-11-26 17:05:27
Message-ID: 4CEFE8D7.3040707 () etinternational ! com
[Download RAW message or body]
On 11/26/2010 11:29 AM, Stefan (metze) Metzmacher wrote:
> Am 26.11.2010 17:24, schrieb Brian C. Huffman:
>> So, I added some debugging to the code and it appears that for some
>> reason, even though I've set the history length to 0 in the pwsettings,
>> it's got a length of "4" from somewhere:
>>
>> /* checks the NT hash password history */
>> for (i = 0; i< io->o.nt_history_len; i++) {
>> ret = memcmp(io->n.nt_hash,
>> io->o.nt_history[i].hash, 16);
>> if (ret == 0) {
>> ret = LDB_ERR_CONSTRAINT_VIOLATION;
>> ldb_asprintf_errstring(ldb,
>> "%08X: %s -
>> check_password_restrictions: "
>> - "the password was already used
>> (in history)!",
>> + "the password was already used
>> (in history)! History length: %d",
>>
>> W_ERROR_V(WERR_PASSWORD_RESTRICTION),
>> - ldb_strerror(ret));
>> + ldb_strerror(ret),
>> io->o.nt_history_len);
>> io->ac->status->reject_reason =
>> SAM_PWD_CHANGE_PWD_IN_HISTORY;
>> return ret;
>> }
>> }
>>
>> yields:
>>
>> msg: 0000052D: Constraint violation - check_password_restrictions: the
>> password was already used (in history)! History length: 4
> That's the length of the stored history.
>
> Maybe we should use MIN(io->o.nt_history_len,
> io->ac->status->domain_data.pwdHistoryLength),
> but that needs testing...
>
> metze
>
I guess it depends what an AD server does. Is the policy change
retroactive immediately or do you need to change the password before the
history length is changed?
I don't know the answer.
-b
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic