[cifs-protocol] [REG:113101710870929] Where is account lockout and password expiry described in the docs?

Edgar Olougouna edgaro at microsoft.com
Thu Dec 5 11:50:11 MST 2013 

Andrew,

For account policy check during logon, the NTLM server on the DC ultimately performs the processing of pass through authentication sent via Netlogon.
The NTLM server interacts with the SAM database on the DC and processes the user account control bits returned by the DC.
We plan to add some verbiage regarding the error codes for different bits, most likely in MS-APDS. 
For instance:
- USER_ACCOUNT_AUTO_LOCKED will result in STATUS_ACCOUNT_LOCKED_OUT. SAM computes the bit based on policy settings. 
For domain admins if DOMAIN_LOCKOUT_ADMINS is not set then domain admins are never locked out.
- USER_ACCOUNT_DISABLED will result in STATUS_ACCOUNT_DISABLED.
- USER_PASSWORD_EXPIRED will result in STATUS_PASSWORD_EXPIRED.
-If the logon is unsuccessful due to bad password then the badPwdCount is incremented.

MS-ADTS 
6.1.5.4 PDC Emulator FSMO Role
http://msdn.microsoft.com/en-us/library/cc223752.aspx

How Domain Controllers Verify Passwords
http://msdn.microsoft.com/en-us/library/cc780271%28v=ws.10%29.aspx

Thanks,
Edgar


-----Original Message-----
From: Edgar Olougouna 
Sent: Tuesday, December 3, 2013 4:19 PM
To: 'abartlet at samba.org'
Cc: 'cifs-protocol at samba.org'; MSSolve Case Email
Subject: RE: [REG:113101710870929] Where is account lockout and password expiry described in the docs?

Andrew,

For Kerberos, these are the references. For NTLM or pass-through, I will follow-up once I have the details. 

MS-KILE
3.3.5.6.2 Check Account Policy for Every TGT Request http://msdn.microsoft.com/en-us/library/dn479803.aspx

3.3.5.7.1 Check Account Policy for Every Session Ticket Request http://msdn.microsoft.com/en-us/library/Cc233947.aspx

Thanks,
Edgar

-----Original Message-----
From: Edgar Olougouna
Sent: Monday, November 04, 2013 4:44 PM
To: 'abartlet at samba.org'
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: RE: [REG:113101710870929] Where is account lockout and password expiry described in the docs?

Andrew,

This got transferred to me and I will be assisting you on this issue.
Let's me review this and follow-up.

Thanks,
Edgar 

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Thursday, October 24, 2013 5:53 PM
To: Sebastian Canevari
Cc: cifs-protocol at samba.org
Subject: Re: [cifs-protocol] Where is account lockout and password expiry described in the docs? 

On Fri, 2013-10-25 at 10:50 +1300, Andrew Bartlett wrote: 
> On Fri, 2013-10-25 at 09:26 +1300, Andrew Bartlett wrote: 
> > On Thu, 2013-10-24 at 20:16 +0000, Sebastian Canevari wrote: 
> > > Hi Andrew,
> > > 
> > > Do you need further assistance from my end? 
> > 
> > I do.  I was waiting on: 
> > 
> > > > As soon as I have answers or questions I'll let you know. 
> > > 
> > > Thanks.  Please also include the details for how this happens in
Kerberos, not just for NTLM, as I strongly suspect the semantics have subtle differences, particularly in forwarding. 

> > 
> > There is still no clear document explaining how this is handled for 
> > Kerberos, and nothing that clearly describes how a NetLogon SamLogon 
> > translates into a badPwdCount update.
> > 
> > I was waiting for those docs before proceeding, to avoid rework.  
> 
> I'm also wanting clarification on the UF_LOCKOUT flag in 
> msDS-User-Account-Control-Computed and userAccountControl
> 
> It appears that msDS-User-Account-Control-Computed should be referred 
> to by SAMR, as the source of the lockout algorithm, but there no 
> reference from MS-SAMR to this attribute.
> 
> Indeed, it is unclear how UF_LOCKOUT and UF_PASSWORD_EXPIRED is to 
> behave, as 3.1.1.6 (18) bans this bit, but in:
> 
> 3.1.1.8.10
> userAccountControl
> 1. If the UF_LOCKOUT bit (section 2.2.1.13) is set and the
lockoutTime 
> attribute is nonzero, the lockoutTime attribute MUST be updated to a 
> value of zero.
> 
> This implies that it can be set in userAccountControl.  Also, the 
> sense here seems backwards, surely clearing the bit sets lockoutTime
to zero? 
> 
> Also it says: 
> 
> 2. The following bits, if set, MUST be unset before committing the
> transaction: UF_LOCKOUT and
> UF_PASSWORD_EXPIRED. 
> 
> This further confuses me as to if these are computed or stored flags 
> (I'm assuming computed).
> 
> This is the kind of level of detail I need in this area. 

Additionally, as I'll need to implement the ms-DS-User-Account-Control-Computed attribute, how do I implement
0x4000000
UF_PARTIAL_SECRETS_ACCOUNT
0x8000000
UF_USE_AES_KEYS 

Because these are not included in MS-ADTS 3.1.1.4.5.17 msDS-User-Account-Control-Computed 

Thanks, 

Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/ 
Authentication Developer, Samba Team           http://samba.org 
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the cifs-protocol mailing list