[cifs-protocol] [REG:113101710870929] Where is account lockout and password expiry described in the docs?

Edgar Olougouna edgaro at microsoft.com
Thu Oct 17 09:11:49 MDT 2013

[case number in subject]
[casemail to cc]
[dochelp to bcc]

The case number 113101710870929 has been created for this inquiry. One of our team members will follow-up soon.


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Wednesday, October 16, 2013 11:40 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: Where is account lockout and password expiry described in the docs?

I've been looking for the formal documentation for account lockout and expiry handling.  There are no references that I can find in 

The only reference in MS-ADTS is in PDC Emulator FSMO Role, which gives the clue that we need to forward all bad passwords to the PDC.  But that leaves a lot of questions, like what to do (what error to
give) if the PDC is offline. 

The only reference in MS-SAMR is to actual enforcement is in . Account Lockout Enforcement and Reset, but this is for password change. 

There is also MS-SAMR SamValidateAuthentication but nothing I could find indicates how this fits in to the broader picture. 

MS-NRPC refers to this as passthough authentication, and MS-NLMP does not describe expiry or lockout at all.

Where can I find a clear description of how to implement account lockout (for bad passwords) and expiry?


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the cifs-protocol mailing list