[cifs-protocol] 113120511001670] Has Password history check (N-2) gone away in 2012R2?

[Andrew Bartlett]

On Mon, 2013-12-09 at 03:25 +0000, Edgar Olougouna wrote:
> Andrew,
> The mentioned feature remains the same. I have confirmed with the product group that the behavior has not changed. 
> 
> We do not see any change of behavior to the group policy settings "Enforce Password History", "Allow log on locally" and the related.
> 
> Here are Windows to Windows configuration and repro steps for comparison and verification with your Samba's test case if needed.
> 
> Configuration
> 1)	Create a user ‘u1’ with initial password ‘FooBar1.’
> 2)	Configure account lockout
> a.	Threshold: 3 attempts
> b.	Duration: 30 mins
> c.	Lockout counter: 30 mins
> 3)	Configure “Allow log on locally” by adding ‘u1’ to the list
> 
> Repro steps
> 1)	Use net.exe to change u1’s password.
> a.	Net user u1 FooBar2.
> b.	Net user u1 FooBar3.
> At this point, u1’s password is FooBar3.
> 2)	Logon in the UI using ‘u1’ and providing an old password (FooBar1.)
> 3)	Logon four times.
> 4)	u1 does not get locked out.   Each login fails with incorrect password.
> 5)	Change u1’s password again: net user u1 FooBar4.
> 6)	Repeat steps 2-3 (again providing password FooBar1.).
> 7)	On the fourth time, logon fails with account locked out as expected.
> 
> Thanks,
> Edgar

Thanks.  I strongly suspect our issue comes from the fact that we set
the policy settings via SAMR, rather than via group policy, as we need
to set and un-set them in an automated fashion during the tests. 

I've run out of time to investigate further, sadly.  (I never imagined
how much complexity could be embedded in what looks at first glance like
just incrementing an integer!)

Thank you very much for your feedback.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba