[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cifs-protocol
Subject:    Re: [cifs-protocol] Behaviour of UF_LOCKOUT compared with UF_PASSWORD_EXPIRED
From:       "Mark Miller (MOD)" <markmi () microsoft ! com>
Date:       2013-10-30 13:13:42
Message-ID: 2E16EDEDE9BF0946905360BF31226AEF5C6BB123 () TK5EX14MBXC280 ! redmond ! corp ! microsoft ! com
[Download RAW message or body]

Hi Andrew,

Thank you for contacting us.  A colleague will follow up with you to investigate this \
issue.

Regards,
Mark Miller | Escalation Engineer | Open Specifications Support Team

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet@samba.org] 
Sent: Tuesday, October 29, 2013 8:40 PM
To: Interoperability Documentation Help
Cc: cifs-protocol@samba.org
Subject: Behaviour of UF_LOCKOUT compared with UF_PASSWORD_EXPIRED

(BTW, I think my other thread got lost, so I'm starting back from scratch here)

In 'MS-SAMR 3.1.5.14.11 User Field to Attribute Name Mapping' it says:

*On read of UserAccountControl, the database attribute value MUST be:
1. Augmented with the UF_LOCKOUT bit if the lockoutTime attribute value on the target \
object is nonzero and if its value plus the Effective-LockoutDuration attribute value \
(section 3.1.1.5) is less than the current time. 2. Augmented with the \
UF_PASSWORD_EXPIRED if PasswordMustChange is less than the current time.

However, testing (smbtorture's rpc.samr.passwords.lockout test shows
that) only the UF_PASSWORD_EXPIRED bit shows via SAMR, the UF_LOCKOUT does not.  That \
is, we get a STATUS_ACCOUNT_LOCKED_OUT without this flag being returned. 

In '3.1.5.14.6 Account Lockout State Maintenance' different rules appear to apply \
compared to MS-ADTS '3.1.1.4.5.17 msDS-User-Account-Control-Computed'

The answers on these things matter to me, because I was trying to build the SAMR \
behaviour on the msDS-User-Account-Control-Computed behaviour.  The MS-ADTS docs have \
regard for the account type, for example. 


Can you look into this, and assist me in understanding what rules are actually \
applied, and if these two calculations are deliberately out of sync?

Thanks,

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz


_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic