[cifs-protocol] Behaviour of UF_LOCKOUT compared with UF_PASSWORD_EXPIRED

Andrew Bartlett abartlet at samba.org
Tue Oct 29 18:39:47 MDT 2013

(BTW, I think my other thread got lost, so I'm starting back from
scratch here)

In 'MS-SAMR User Field to Attribute Name Mapping' it says:

*On read of UserAccountControl, the database attribute value MUST be:
1. Augmented with the UF_LOCKOUT bit if the lockoutTime attribute value
on the target object is
nonzero and if its value plus the Effective-LockoutDuration attribute
value (section is
less than the current time.
2. Augmented with the UF_PASSWORD_EXPIRED if PasswordMustChange is less
than the current

However, testing (smbtorture's rpc.samr.passwords.lockout test shows
that) only the UF_PASSWORD_EXPIRED bit shows via SAMR, the UF_LOCKOUT
does not.  That is, we get a STATUS_ACCOUNT_LOCKED_OUT without this flag
being returned. 

In ' Account Lockout State Maintenance' different rules appear
to apply compared to MS-ADTS '

The answers on these things matter to me, because I was trying to build
the SAMR behaviour on the msDS-User-Account-Control-Computed
behaviour.  The MS-ADTS docs have regard for the account type, for

Can you look into this, and assist me in understanding what rules are
actually applied, and if these two calculations are deliberately out of


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the cifs-protocol mailing list