[cifs-protocol] Where is account lockout and password expiry described in the docs?
Sebastian Canevari
Sebastian.Canevari at microsoft.com
Wed Oct 30 15:00:48 MDT 2013
Hi Andrew,
I am still working on these questions.
I'll let you know as soon as I have news or follow ups.
Thanks!
Sebastian Canevari | Escalation Engineer | US-CSS Developer Support Core (DSC) Protocol Team
P +1 469 775 7849
One Microsoft Way, 98052, Redmond, WA, USA http://support.microsoft.com
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Wednesday, October 30, 2013 3:44 PM
To: Sebastian Canevari
Cc: cifs-protocol at samba.org; Interoperability Documentation Help
Subject: Re: [cifs-protocol] Where is account lockout and password expiry described in the docs?
On Fri, 2013-10-25 at 11:53 +1300, Andrew Bartlett wrote:
> On Fri, 2013-10-25 at 10:50 +1300, Andrew Bartlett wrote:
> > On Fri, 2013-10-25 at 09:26 +1300, Andrew Bartlett wrote:
> > > On Thu, 2013-10-24 at 20:16 +0000, Sebastian Canevari wrote:
> > > > Hi Andrew,
> > > >
> > > > Do you need further assistance from my end?
> > >
> > > I do. I was waiting on:
> > >
> > > > > As soon as I have answers or questions I'll let you know.
> > > >
> > > > Thanks. Please also include the details for how this happens in Kerberos, not just for NTLM, as I strongly suspect the semantics have subtle differences, particularly in forwarding.
> > >
> > > There is still no clear document explaining how this is handled
> > > for Kerberos, and nothing that clearly describes how a NetLogon
> > > SamLogon translates into a badPwdCount update.
> > >
> > > I was waiting for those docs before proceeding, to avoid rework.
> >
> > I'm also wanting clarification on the UF_LOCKOUT flag in
> > msDS-User-Account-Control-Computed and userAccountControl
> >
> > It appears that msDS-User-Account-Control-Computed should be
> > referred to by SAMR, as the source of the lockout algorithm, but
> > there no reference from MS-SAMR to this attribute.
> >
> > Indeed, it is unclear how UF_LOCKOUT and UF_PASSWORD_EXPIRED is to
> > behave, as 3.1.1.6 (18) bans this bit, but in:
> >
> > 3.1.1.8.10
> > userAccountControl
> > 1. If the UF_LOCKOUT bit (section 2.2.1.13) is set and the
> > lockoutTime attribute is nonzero, the lockoutTime attribute MUST be
> > updated to a value of zero.
> >
> > This implies that it can be set in userAccountControl. Also, the
> > sense here seems backwards, surely clearing the bit sets lockoutTime to zero?
> >
> > Also it says:
> >
> > 2. The following bits, if set, MUST be unset before committing the
> > transaction: UF_LOCKOUT and
> > UF_PASSWORD_EXPIRED.
> >
> > This further confuses me as to if these are computed or stored flags
> > (I'm assuming computed).
> >
> > This is the kind of level of detail I need in this area.
>
> Additionally, as I'll need to implement the
> ms-DS-User-Account-Control-Computed attribute, how do I implement
> 0x4000000
> UF_PARTIAL_SECRETS_ACCOUNT
> 0x8000000
> UF_USE_AES_KEYS
>
> Because these are not included in MS-ADTS 3.1.1.4.5.17
> msDS-User-Account-Control-Computed
Any update on these questions?
Thanks,
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
More information about the cifs-protocol
mailing list