[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [REG:113101710870929] Where is account lockout and password expiry described in
From: Edgar Olougouna <edgaro () microsoft ! com>
Date: 2013-11-04 22:44:31
Message-ID: ed495e5c76014fb188172a59968bcf54 () DFM-DB3MBX15-01 ! exchange ! corp ! microsoft ! com
[Download RAW message or body]
Andrew,
This got transferred to me and I will be assisting you on this issue.
Let's me review this and follow-up.
Thanks,
Edgar
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet@samba.org]
Sent: Thursday, October 24, 2013 5:53 PM
To: Sebastian Canevari
Cc: cifs-protocol@samba.org
Subject: Re: [cifs-protocol] Where is account lockout and password expiry described \
in the docs?
On Fri, 2013-10-25 at 10:50 +1300, Andrew Bartlett wrote:
> On Fri, 2013-10-25 at 09:26 +1300, Andrew Bartlett wrote:
> > On Thu, 2013-10-24 at 20:16 +0000, Sebastian Canevari wrote:
> > > Hi Andrew,
> > >
> > > Do you need further assistance from my end?
> >
> > I do. I was waiting on:
> >
> > > > As soon as I have answers or questions I'll let you know.
> > >
> > > Thanks. Please also include the details for how this happens in
Kerberos, not just for NTLM, as I strongly suspect the semantics have subtle \
differences, particularly in forwarding.
> >
> > There is still no clear document explaining how this is handled for
> > Kerberos, and nothing that clearly describes how a NetLogon SamLogon
> > translates into a badPwdCount update.
> >
> > I was waiting for those docs before proceeding, to avoid rework.
>
> I'm also wanting clarification on the UF_LOCKOUT flag in
> msDS-User-Account-Control-Computed and userAccountControl
>
> It appears that msDS-User-Account-Control-Computed should be referred
> to by SAMR, as the source of the lockout algorithm, but there no
> reference from MS-SAMR to this attribute.
>
> Indeed, it is unclear how UF_LOCKOUT and UF_PASSWORD_EXPIRED is to
> behave, as 3.1.1.6 (18) bans this bit, but in:
>
> 3.1.1.8.10
> userAccountControl
> 1. If the UF_LOCKOUT bit (section 2.2.1.13) is set and the
lockoutTime
> attribute is nonzero, the lockoutTime attribute MUST be updated to a
> value of zero.
>
> This implies that it can be set in userAccountControl. Also, the
> sense here seems backwards, surely clearing the bit sets lockoutTime
to zero?
>
> Also it says:
>
> 2. The following bits, if set, MUST be unset before committing the
> transaction: UF_LOCKOUT and
> UF_PASSWORD_EXPIRED.
>
> This further confuses me as to if these are computed or stored flags
> (I'm assuming computed).
>
> This is the kind of level of detail I need in this area.
Additionally, as I'll need to implement the ms-DS-User-Account-Control-Computed \
attribute, how do I implement 0x4000000
UF_PARTIAL_SECRETS_ACCOUNT
0x8000000
UF_USE_AES_KEYS
Because these are not included in MS-ADTS 3.1.1.4.5.17 \
msDS-User-Account-Control-Computed
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic