[cifs-protocol] Where is account lockout and password expiry described in the docs?
abartlet at samba.org
Thu Oct 24 16:53:02 MDT 2013
On Fri, 2013-10-25 at 10:50 +1300, Andrew Bartlett wrote:
> On Fri, 2013-10-25 at 09:26 +1300, Andrew Bartlett wrote:
> > On Thu, 2013-10-24 at 20:16 +0000, Sebastian Canevari wrote:
> > > Hi Andrew,
> > >
> > > Do you need further assistance from my end?
> > I do. I was waiting on:
> > > > As soon as I have answers or questions I'll let you know.
> > >
> > > Thanks. Please also include the details for how this happens in Kerberos, not just for NTLM, as I strongly suspect the semantics have subtle differences, particularly in forwarding.
> > There is still no clear document explaining how this is handled for
> > Kerberos, and nothing that clearly describes how a NetLogon SamLogon
> > translates into a badPwdCount update.
> > I was waiting for those docs before proceeding, to avoid rework.
> I'm also wanting clarification on the UF_LOCKOUT flag in
> msDS-User-Account-Control-Computed and userAccountControl
> It appears that msDS-User-Account-Control-Computed should be referred to
> by SAMR, as the source of the lockout algorithm, but there no reference
> from MS-SAMR to this attribute.
> Indeed, it is unclear how UF_LOCKOUT and UF_PASSWORD_EXPIRED is to
> behave, as 22.214.171.124 (18) bans this bit, but in:
> 1. If the UF_LOCKOUT bit (section 126.96.36.199) is set and the lockoutTime
> attribute is nonzero, the
> lockoutTime attribute MUST be updated to a value of zero.
> This implies that it can be set in userAccountControl. Also, the sense
> here seems backwards, surely clearing the bit sets lockoutTime to zero?
> Also it says:
> 2. The following bits, if set, MUST be unset before committing the
> transaction: UF_LOCKOUT and
> This further confuses me as to if these are computed or stored flags
> (I'm assuming computed).
> This is the kind of level of detail I need in this area.
Additionally, as I'll need to implement the
ms-DS-User-Account-Control-Computed attribute, how do I implement
Because these are not included in MS-ADTS 188.8.131.52.5.17
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
More information about the cifs-protocol