[cifs-protocol] Where is account lockout and password expiry described in the docs?

Andrew Bartlett abartlet at samba.org
Thu Oct 24 15:50:50 MDT 2013

On Fri, 2013-10-25 at 09:26 +1300, Andrew Bartlett wrote:
> On Thu, 2013-10-24 at 20:16 +0000, Sebastian Canevari wrote:
> > Hi Andrew,
> > 
> > Do you need further assistance from my end?
> I do.  I was waiting on:
> > > As soon as I have answers or questions I'll let you know.
> > 
> > Thanks.  Please also include the details for how this happens in Kerberos, not just for NTLM, as I strongly suspect the semantics have subtle differences, particularly in forwarding. 
> There is still no clear document explaining how this is handled for
> Kerberos, and nothing that clearly describes how a NetLogon SamLogon
> translates into a badPwdCount update. 
> I was waiting for those docs before proceeding, to avoid rework.  

I'm also wanting clarification on the UF_LOCKOUT flag in
msDS-User-Account-Control-Computed and userAccountControl

It appears that msDS-User-Account-Control-Computed should be referred to
by SAMR, as the source of the lockout algorithm, but there no reference
from MS-SAMR to this attribute. 

Indeed, it is unclear how UF_LOCKOUT and UF_PASSWORD_EXPIRED is to
behave, as (18) bans this bit, but in:
1. If the UF_LOCKOUT bit (section is set and the lockoutTime
attribute is nonzero, the
lockoutTime attribute MUST be updated to a value of zero.

This implies that it can be set in userAccountControl.  Also, the sense
here seems backwards, surely clearing the bit sets lockoutTime to zero?

Also it says:

2. The following bits, if set, MUST be unset before committing the
transaction: UF_LOCKOUT and

This further confuses me as to if these are computed or stored flags
(I'm assuming computed). 

This is the kind of level of detail I need in this area.

Please clarify,


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the cifs-protocol mailing list