[cifs-protocol] [REG:117052515795477]: Q3 of 4: Does a BadPwdCount reset also reset some UF flags or other attributes?

Bryan Burgin bburgin at microsoft.com
Thu May 25 02:11:14 UTC 2017


[dochelp on bcc]
[+casemail]

Andrew,

Today we create four cases per your request.  This thread concerns issue Q3 of 4:

Case 3: Does a BadPwdCount reset also reset some UF flags or other attributes?
BadPwdCount is local. When it's reset, does it trigger a reset of some other replicable flags or attributes so that the user is not locked out elsewhere?

An engineer will contact you about each of these issues on separate threads soon.

The other cases, to pull all the threads together, are specified below.

Bryan


Q1: 117052515795450: WDigest package of supplementalCredentials attribute
Q2: 117052515795463: Which change password is proxied from RODC to PDC?
Q3: 117052515795477: Does a BadPwdCount reset also reset some UF flags or other attributes?
Q4: 117052515795488: Client behavior guidance of DRS_GET_TGT flag in GetNCChanges



Case 1: WDigest package of supplementalCredentials attribute
Documentation of pre-computation hash in WDigest property is wrong.
Construction is inverted. Needs to fix the document.
[MS-SAMR]
3.1.1.8.11.3 Primary:WDigest Property
https://msdn.microsoft.com/en-us/library/cc245679.aspx
3.1.1.8.11.3.1 WDIGEST_CREDENTIALS Construction
https://msdn.microsoft.com/en-us/library/cc245680.aspx

Case 2: Which change password is proxied from RODC to PDC?
Is it expected that RODC should be able to proxy Kerberos change password to the RWDC?
Currently, Samba does proxy authentication, realm trust requests, but are not proxing any password change.

Case 3: Does a BadPwdCount reset also reset some UF flags or other attributes?
BadPwdCount is local. When it's reset, does it trigger a reset of some other replicable flags or attributes so that the user is not locked out elsewhere?

Case 4: Client behavior guidance of DRS_GET_TGT flag in GetNCChanges
The request is to provide clarity so that the server side can implement  DRS_GET_TGT poperly.
DRS_GET_TGT flag syncing particular link values.
Needs tag object clarification, when linked object is deleted, or not present, etc.
[MS-DRSR]
4.1.10 IDL_DRSGetNCChanges (Opnum 3)
https://msdn.microsoft.com/en-us/library/dd207691.aspx
4.1.10.5 Server Behavior of the IDL_DRSGetNCChanges Method
https://msdn.microsoft.com/en-us/library/dd207741.aspx
4.1.10.6 Client Behavior When Receiving the IDL_DRSGetNCChanges
https://msdn.microsoft.com/en-us/library/dd207757.aspx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20170525/beea0e63/attachment.html>


More information about the cifs-protocol mailing list