[cifs-protocol] Behaviour of UF_LOCKOUT compared with UF_PASSWORD_EXPIRED

[Andrew Bartlett]

(BTW, I think my other thread got lost, so I'm starting back from
scratch here)

In 'MS-SAMR 3.1.5.14.11 User Field to Attribute Name Mapping' it says:

*On read of UserAccountControl, the database attribute value MUST be:
1. Augmented with the UF_LOCKOUT bit if the lockoutTime attribute value
on the target object is
nonzero and if its value plus the Effective-LockoutDuration attribute
value (section 3.1.1.5) is
less than the current time.
2. Augmented with the UF_PASSWORD_EXPIRED if PasswordMustChange is less
than the current
time.

However, testing (smbtorture's rpc.samr.passwords.lockout test shows
that) only the UF_PASSWORD_EXPIRED bit shows via SAMR, the UF_LOCKOUT
does not.  That is, we get a STATUS_ACCOUNT_LOCKED_OUT without this flag
being returned. 

In '3.1.5.14.6 Account Lockout State Maintenance' different rules appear
to apply compared to MS-ADTS '3.1.1.4.5.17
msDS-User-Account-Control-Computed'

The answers on these things matter to me, because I was trying to build
the SAMR behaviour on the msDS-User-Account-Control-Computed
behaviour.  The MS-ADTS docs have regard for the account type, for
example. 


Can you look into this, and assist me in understanding what rules are
actually applied, and if these two calculations are deliberately out of
sync?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz