[cifs-protocol] [REG:113103010905266] Behaviour of UF_LOCKOUT compared with UF_PASSWORD_EXPIRED

Edgar Olougouna edgaro at microsoft.com
Thu Oct 31 20:08:57 MDT 2013 

Andrew,
Can you provide the network captures as well as TTT traces of lsass.exe?
What are the exact scenarios in your test cases where you observed STATUS_ACCOUNT_LOCKED_OUT whereby the UF_LOCKOUT flag is not set but UF_PASSWORD_EXPIRED is set?
Did the password expire first before you receive the error, or was the account locked before the password expired?
What are the SAMR methods being called? 
Did you test LDAP as well?

I will be sending you the file transfer link in a separate email.  

Thanks,
Edgar

-----Original Message-----
From: Edgar Olougouna 
Sent: Wednesday, October 30, 2013 9:54 AM
To: Andrew Bartlett
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: [REG:113103010905266] Behaviour of UF_LOCKOUT compared with UF_PASSWORD_EXPIRED

[case number in subject]
[casemail to cc]

Andrew,
I will investigate this and follow-up.

Thanks,
Edgar


-----Original Message-----
From: Mark Miller (MOD) 
Sent: Wednesday, October 30, 2013 8:14 AM
To: Andrew Bartlett
Cc: cifs-protocol at samba.org
Subject: RE: Behaviour of UF_LOCKOUT compared with UF_PASSWORD_EXPIRED

Hi Andrew,

Thank you for contacting us.  A colleague will follow up with you to investigate this issue.

Regards,
Mark Miller | Escalation Engineer | Open Specifications Support Team

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, October 29, 2013 8:40 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: Behaviour of UF_LOCKOUT compared with UF_PASSWORD_EXPIRED

(BTW, I think my other thread got lost, so I'm starting back from scratch here)

In 'MS-SAMR 3.1.5.14.11 User Field to Attribute Name Mapping' it says:

*On read of UserAccountControl, the database attribute value MUST be:
1. Augmented with the UF_LOCKOUT bit if the lockoutTime attribute value on the target object is nonzero and if its value plus the Effective-LockoutDuration attribute value (section 3.1.1.5) is less than the current time.
2. Augmented with the UF_PASSWORD_EXPIRED if PasswordMustChange is less than the current time.

However, testing (smbtorture's rpc.samr.passwords.lockout test shows
that) only the UF_PASSWORD_EXPIRED bit shows via SAMR, the UF_LOCKOUT does not.  That is, we get a STATUS_ACCOUNT_LOCKED_OUT without this flag being returned. 

In '3.1.5.14.6 Account Lockout State Maintenance' different rules appear to apply compared to MS-ADTS '3.1.1.4.5.17 msDS-User-Account-Control-Computed'

The answers on these things matter to me, because I was trying to build the SAMR behaviour on the msDS-User-Account-Control-Computed
behaviour.  The MS-ADTS docs have regard for the account type, for example. 


Can you look into this, and assist me in understanding what rules are actually applied, and if these two calculations are deliberately out of sync?

Thanks,

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the cifs-protocol mailing list