samba - Nov 2003 - Samba 3 Password Ageing and History

Hello,

I've been looking at Samba 3.0 with a view to an eventual upgrade to help us
meet some new security requirements.  I've downloaded and compiled the
source on the target machine.  A test user account has been created and stored
using a tdb file.

I have set and verified the following using pdbedit:

    minimum password age 60 (seconds)
    maximum password age 3600 (seconds)
    password history 3

The minimum and maximum password age parameters are working as expected, but the
password history parameter appears to be being ignored.

Has anyone been able to get this to work?  Is my assumption (documentation on
this is difficult to find) that setting password history to 3 prevents the same
password being reused within 3 password changes correct?

Many thank
Tony

On Thu, 2003-11-13 at 04:50, Tony Caddies wrote:
> Hello,
> 
> I've been looking at Samba 3.0 with a view to an eventual upgrade to
help us meet some new security requirements.  I've downloaded and compiled
the source on the target machine.  A test user account has been created and
stored using a tdb file.
> 
> I have set and verified the following using pdbedit:
> 
>     minimum password age 60 (seconds)
>     maximum password age 3600 (seconds)
>     password history 3
> 
> The minimum and maximum password age parameters are working as expected,
but the password history parameter appears to be being ignored.
> 
> Has anyone been able to get this to work?  Is my assumption (documentation
on this is difficult to find) that setting password history to 3 prevents the
same password being reused within 3 password changes correct?
It is not currently implemented.   There is interest on the
samba-technical list in fixing this however.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20031113/4f5ca8e0/attachment.bin

Andrew,

Thanks for the prompt reply.  I must say that the inclusion of password
ageing is going to solve a major headache for us and potentially save a lot
of time and money.

Forgive my ignorance, but is there a reference somewhere that states what
features in this area are or are not implemented?

Cheers
Tony


----- Original Message ----- 
From: "Andrew Bartlett" <abartlet@samba.org>
To: "Tony Caddies" <tony@planet625.co.uk>
Cc: "Samba" <samba@lists.samba.org>
Sent: Wednesday, November 12, 2003 11:04 PM
Subject: Re: [Samba] Samba 3 Password Ageing and History