[cifs-protocol] [REG:113103010905266] Behaviour of UF_LOCKOUT compared with UF_PASSWORD_EXPIRED

Andrew Bartlett abartlet at samba.org
Wed Nov 20 21:17:38 MST 2013

On Thu, 2013-11-21 at 04:12 +0000, Edgar Olougouna wrote:
> Andrew,
> Debugging NetrLogonSamLogonEx in a pass-through scenario between Windows with STATUS_ACCOUNT_LOCKED_OUT, I observed that both (account_locked_out, password_expired) bits are set in the routine that computes user account control bits. account_locked_out is set provided we are within lockout duration, otherwise the account and status will not be locked out.
> In my testing, LogonLevel = NetlogonNetworkTransitiveInformation (0n6) and ValidationLevel = NetlogonValidationSamInfo4 (0n6).
> Assuming this does not exhibit the behavior you experimented, I would need a debug a TTT trace taken from your repro environment. 
> Would you be able to have some spare cycles and collect repro traces in the near future so we can conclude on this?

Yes, I expect to do so soon.  The case where I saw this was not on
SamLogon, but directly over SAMR. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the cifs-protocol mailing list