Univention Bugzilla – Bug 29918
Password interval of 0 days misleading
Last modified: 2017-08-14 15:02:30 CEST
In the Passwordpolicy the individual tests are disabled by setting them to 0. If setting the Password age to 0, it however expires the password on the same day for the posix interval. Kerberos (Samba 4) still continue to work.
This refers to setting the UMC Password policy to 0 days. All other settings, history and complexity, however have 0 for disabling the policy. As the Samba4 settings are not effected the login on windows clients is still possible while using linux services such as mail is not. Expected would be that either 0 disables all policies or that Samba 4 is effected as well.
The "Password expiry interval" can be set empty to disable password expiry. This is the default. The manual does not mention this clear enough and I created a new bug 29946 against the UCS manual for this. The proposal of this bug is an enhancement of the interpretation of the special value "0" in the UDM passowrd policy. Probably required changes can be minimized by interpreting this special value on the level of UDM properties and simply mapping it to an empty LDAP attribute. If this bug should be fixed, I would recommend creating a similar enhancement bug for the interpretation of the UDM property maxPasswordAge part of the Samba domain object. The Samba passowrd policy settings are not connected to the Samba settings currently. The maximum password age attribute of the Samba domain object is disabled by setting to either empty or to the special value of -1 (IIRC, see also recent bug 29775).
(In reply to comment #1) > This refers to setting the UMC Password policy to 0 days. All other settings, > history and complexity, however have 0 for disabling the policy. > > As the Samba4 settings are not effected the login on windows clients is still > possible while using linux services such as mail is not. > > Expected would be that either 0 disables all policies or that Samba 4 is > effected as well. A value of "0" should affect Posix the same way it effects Kerberos from now on. univention-directory-manager-modules (8.0.142-1) unstable; urgency=low * deactivate password expiry for posix if set to "0" in the related policy (Bug #29918) svn 39494
OK, password expiry (linux, kerberos) is disabled if setting "Password expiry interval" to 0 (as in samba, when setting maxPasswordAge to 0). Changelog entry exists.
UCS 3.1-1 has been released: http://download.univention.de/doc/release-notes-3.1-1_en.pdf http://download.univention.de/doc/release-notes-3.1-1.pdf If this error occurs again, please use "Clone This Bug".