Currently, if a user's local password entry is just "!!" (as it well may be if using kerberos or other non-local authentication), the unlock user functions will blithely remove this, leaving no password at all. I think it'd be nicer for the function to fail in this case, and for there to be a separate function like unlock_if_blank for situations where this behavior is really wanted.
As much as I would like to be able to differentiate between "user is never meant to log in" and "user has an empty password, but the account is currently locked": * existing practice does not support this (shadow-utils use "!!" for "never log in", libuser for "empty password, locked" * it's an incompatible API change * libuser users have a reasonable right to expect that removepass->lock->unlock works and results in an account with no password.
How about the other way around -- a "safe unlock" function, which will never leave an account unprotected?
libuser-0.53 provides lu_user_unlock_nonempty () and lu_group_unlock_nonempty(). The Python unlockUser and unlockGroup functions have an optional 'nonempty' parameter.
Thank you very much!