[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: [cifs-protocol] [REG:113103010905266] Behaviour of UF_LOCKOUT compared with UF_PASSWORD_EXPIRED
From: Edgar Olougouna <edgaro () microsoft ! com>
Date: 2013-10-30 14:54:16
Message-ID: 71249d3f35d64bb8ad9ec9b06af3ce5e () DFM-DB3MBX15-01 ! exchange ! corp ! microsoft ! com
[Download RAW message or body]
[case number in subject]
[casemail to cc]
Andrew,
I will investigate this and follow-up.
Thanks,
Edgar
-----Original Message-----
From: Mark Miller (MOD)
Sent: Wednesday, October 30, 2013 8:14 AM
To: Andrew Bartlett
Cc: cifs-protocol@samba.org
Subject: RE: Behaviour of UF_LOCKOUT compared with UF_PASSWORD_EXPIRED
Hi Andrew,
Thank you for contacting us. A colleague will follow up with you to investigate this \
issue.
Regards,
Mark Miller | Escalation Engineer | Open Specifications Support Team
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet@samba.org]
Sent: Tuesday, October 29, 2013 8:40 PM
To: Interoperability Documentation Help
Cc: cifs-protocol@samba.org
Subject: Behaviour of UF_LOCKOUT compared with UF_PASSWORD_EXPIRED
(BTW, I think my other thread got lost, so I'm starting back from scratch here)
In 'MS-SAMR 3.1.5.14.11 User Field to Attribute Name Mapping' it says:
*On read of UserAccountControl, the database attribute value MUST be:
1. Augmented with the UF_LOCKOUT bit if the lockoutTime attribute value on the target \
object is nonzero and if its value plus the Effective-LockoutDuration attribute value \
(section 3.1.1.5) is less than the current time. 2. Augmented with the \
UF_PASSWORD_EXPIRED if PasswordMustChange is less than the current time.
However, testing (smbtorture's rpc.samr.passwords.lockout test shows
that) only the UF_PASSWORD_EXPIRED bit shows via SAMR, the UF_LOCKOUT does not. That \
is, we get a STATUS_ACCOUNT_LOCKED_OUT without this flag being returned.
In '3.1.5.14.6 Account Lockout State Maintenance' different rules appear to apply \
compared to MS-ADTS '3.1.1.4.5.17 msDS-User-Account-Control-Computed'
The answers on these things matter to me, because I was trying to build the SAMR \
behaviour on the msDS-User-Account-Control-Computed behaviour. The MS-ADTS docs have \
regard for the account type, for example.
Can you look into this, and assist me in understanding what rules are actually \
applied, and if these two calculations are deliberately out of sync?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic