[cifs-protocol] [REG:113103010905266] Behaviour of UF_LOCKOUT compared with UF_PASSWORD_EXPIRED
abartlet at samba.org
Sun Nov 24 20:59:30 MST 2013
On Thu, 2013-11-21 at 04:12 +0000, Edgar Olougouna wrote:
> Debugging NetrLogonSamLogonEx in a pass-through scenario between Windows with STATUS_ACCOUNT_LOCKED_OUT, I observed that both (account_locked_out, password_expired) bits are set in the routine that computes user account control bits. account_locked_out is set provided we are within lockout duration, otherwise the account and status will not be locked out.
> In my testing, LogonLevel = NetlogonNetworkTransitiveInformation (0n6) and ValidationLevel = NetlogonValidationSamInfo4 (0n6).
> Assuming this does not exhibit the behavior you experimented, I would need a debug a TTT trace taken from your repro environment.
> Would you be able to have some spare cycles and collect repro traces in the near future so we can conclude on this?
While trying to demonstrate this and set up the TTT trace my colleague
Garming and I have worked this one out. We can still get you traces if
you want, but the situation is clearly that:
- the ACB_AUTOLOCK bit is computed at the time of the OpenUser, not the
- therefore my automated tests showed it wasn't set
- manual tests showed it was, because in manual tests the user is
opened 'fresh' after the lockout is applied!
We confirmed this by changing our tests to re-open the user directly
before the query, and the 'bug' went away!
We have got the environment set up to run the TTT if you like, but we
are happy to write this one down as 'odd', and fix up our tests to
re-open the user.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol