lib/param: Add new parameter "old password allowed period"

Change-Id: I46228b492ba71ba4f3fee380a1ccadb328e3ade1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml b/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml
new file mode 100644 (file)
index 0000000..ead720a
--- /dev/null
+++ b/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="old password allowed period"
+                 context="G"
+                 advanced="1"
+                                type="integer"
+                xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>Number of minutes to permit an NTLM login after a password change or reset using the old password.  This allows the user to re-cache the new password on multiple clients without disrupting a network reconnection in the meantime. </para>
+
+    <para>This parameter only applies when <smbconfoption name="server role"/> is set to Active Directory Domain Controller</para>
+</description>
+
+<value type="default">60</value>
+</samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index fd5e5e3dac229432276c10705f05722f9050cf4c..97a06a0efd0e8b999a90bbdace926834028f01d7 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2082,6 +2082,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
        lpcfg_do_global_parameter(lp_ctx, "ReadRaw", "True");
        lpcfg_do_global_parameter(lp_ctx, "WriteRaw", "True");
        lpcfg_do_global_parameter(lp_ctx, "NullPasswords", "False");
+       lpcfg_do_global_parameter(lp_ctx, "old password allowed period", "60");
        lpcfg_do_global_parameter(lp_ctx, "ObeyPamRestrictions", "False");
 
        lpcfg_do_global_parameter(lp_ctx, "TimeServer", "False");

diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 40f8eb50d88478827cdccb650740dddd5cf63b39..8df7d1b5fa17ef3642ae5236baa0263e943cfb99 100644 (file)
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -489,6 +489,15 @@ static struct parm_struct parm_table[] = {
                .enum_list      = NULL,
                .flags          = FLAG_ADVANCED | FLAG_DEPRECATED,
        },
+       {
+               .label          = "old password allowed period",
+               .type           = P_INTEGER,
+               .p_class        = P_GLOBAL,
+               .offset         = GLOBAL_VAR(old_password_allowed_period),
+               .special        = NULL,
+               .enum_list      = NULL,
+               .flags          = FLAG_ADVANCED,
+       },
        {
                .label          = "obey pam restrictions",
                .type           = P_BOOL,

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index ad879725b480a896e5f45ebe87ba7eaeb8c62627..8006167fe519c4e9e01a2fd4e392633b6291c6b4 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -802,6 +802,7 @@ static void init_globals(bool reinit_globals)
        Globals.read_raw = true;
        Globals.write_raw = true;
        Globals.null_passwords = false;
+       Globals.old_password_allowed_period = 60;
        Globals.obey_pam_restrictions = false;
        Globals.syslog = 1;
        Globals.syslog_only = false;