[cifs-protocol] [REG:113101710870929] Where is account lockout and password expiry described in the docs?

Edgar Olougouna edgaro at microsoft.com
Tue Dec 3 15:18:39 MST 2013


For Kerberos, these are the references. For NTLM or pass-through, I will follow-up once I have the details. 

MS-KILE Check Account Policy for Every TGT Request
http://msdn.microsoft.com/en-us/library/dn479803.aspx Check Account Policy for Every Session Ticket Request


-----Original Message-----
From: Edgar Olougouna 
Sent: Monday, November 04, 2013 4:44 PM
To: 'abartlet at samba.org'
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: RE: [REG:113101710870929] Where is account lockout and password expiry described in the docs?


This got transferred to me and I will be assisting you on this issue.
Let's me review this and follow-up.


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Thursday, October 24, 2013 5:53 PM
To: Sebastian Canevari
Cc: cifs-protocol at samba.org
Subject: Re: [cifs-protocol] Where is account lockout and password expiry described in the docs? 

On Fri, 2013-10-25 at 10:50 +1300, Andrew Bartlett wrote: 
> On Fri, 2013-10-25 at 09:26 +1300, Andrew Bartlett wrote: 
> > On Thu, 2013-10-24 at 20:16 +0000, Sebastian Canevari wrote: 
> > > Hi Andrew,
> > > 
> > > Do you need further assistance from my end? 
> > 
> > I do.  I was waiting on: 
> > 
> > > > As soon as I have answers or questions I'll let you know. 
> > > 
> > > Thanks.  Please also include the details for how this happens in
Kerberos, not just for NTLM, as I strongly suspect the semantics have subtle differences, particularly in forwarding. 

> > 
> > There is still no clear document explaining how this is handled for 
> > Kerberos, and nothing that clearly describes how a NetLogon SamLogon 
> > translates into a badPwdCount update.
> > 
> > I was waiting for those docs before proceeding, to avoid rework.  
> I'm also wanting clarification on the UF_LOCKOUT flag in 
> msDS-User-Account-Control-Computed and userAccountControl
> It appears that msDS-User-Account-Control-Computed should be referred 
> to by SAMR, as the source of the lockout algorithm, but there no 
> reference from MS-SAMR to this attribute.
> Indeed, it is unclear how UF_LOCKOUT and UF_PASSWORD_EXPIRED is to 
> behave, as (18) bans this bit, but in:
> userAccountControl
> 1. If the UF_LOCKOUT bit (section is set and the
> attribute is nonzero, the lockoutTime attribute MUST be updated to a 
> value of zero.
> This implies that it can be set in userAccountControl.  Also, the 
> sense here seems backwards, surely clearing the bit sets lockoutTime
to zero? 
> Also it says: 
> 2. The following bits, if set, MUST be unset before committing the
> transaction: UF_LOCKOUT and
> This further confuses me as to if these are computed or stored flags 
> (I'm assuming computed).
> This is the kind of level of detail I need in this area. 

Additionally, as I'll need to implement the ms-DS-User-Account-Control-Computed attribute, how do I implement

Because these are not included in MS-ADTS msDS-User-Account-Control-Computed 


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org 
Samba Developer, Catalyst IT                   http://catalyst.net.nz 

More information about the cifs-protocol mailing list