[cifs-protocol] [REG:117052515795477]: Q3 of 4: Does a BadPwdCount reset also reset some UF flags or other attributes?

Nathan Manis nmanis at microsoft.com
Tue May 30 17:17:51 UTC 2017


Hi Andrew,

Writing for additional feedback to help.  The processing of ResetBadPwdCount implementation in Windows just resets BadPwdCount.  Here is the message:
https://msdn.microsoft.com/en-us/library/dd357623.aspx


Source code review confirmed this today as well.  The call just resets BadPwdCount to 0.


Thanks,
Nathan


From: Nathan Manis
Sent: Tuesday, May 30, 2017 11:57 AM
To: abartlet at samba.org; cifs-protocol at lists.samba.org; garming at catalyst.net.nz
Cc: MSSolve Case Email <casemail at microsoft.com>
Subject: RE: [REG:117052515795477]: Q3 of 4: Does a BadPwdCount reset also reset some UF flags or other attributes?

Hi Andrew,

Thank you for contacting Microsoft Open Protocols support.  For the inquiry regarding BadPwdCount.

This is correct that the attribute is not replicated and is local.  What we can state on the specifics is documented here:

https://msdn.microsoft.com/en-us/library/ms675244%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

Remarks
This attribute is not replicated and is maintained separately on each domain controller in the domain.
This attribute is reset on a specific domain controller when the user successfully logs onto that domain controller.


Thanks,
Nathan



From: Bryan Burgin
Sent: Wednesday, May 24, 2017 10:11 PM
To: abartlet at samba.org<mailto:abartlet at samba.org>; cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>; garming at catalyst.net.nz<mailto:garming at catalyst.net.nz>
Cc: MSSolve Case Email <casemail at microsoft.com<mailto:casemail at microsoft.com>>
Subject: [REG:117052515795477]: Q3 of 4: Does a BadPwdCount reset also reset some UF flags or other attributes?

[dochelp on bcc]
[+casemail]

Andrew,

Today we create four cases per your request.  This thread concerns issue Q3 of 4:

Case 3: Does a BadPwdCount reset also reset some UF flags or other attributes?
BadPwdCount is local. When it's reset, does it trigger a reset of some other replicable flags or attributes so that the user is not locked out elsewhere?

An engineer will contact you about each of these issues on separate threads soon.

The other cases, to pull all the threads together, are specified below.

Bryan


Q1: 117052515795450: WDigest package of supplementalCredentials attribute
Q2: 117052515795463: Which change password is proxied from RODC to PDC?
Q3: 117052515795477: Does a BadPwdCount reset also reset some UF flags or other attributes?
Q4: 117052515795488: Client behavior guidance of DRS_GET_TGT flag in GetNCChanges



Case 1: WDigest package of supplementalCredentials attribute
Documentation of pre-computation hash in WDigest property is wrong.
Construction is inverted. Needs to fix the document.
[MS-SAMR]
3.1.1.8.11.3 Primary:WDigest Property
https://msdn.microsoft.com/en-us/library/cc245679.aspx
3.1.1.8.11.3.1 WDIGEST_CREDENTIALS Construction
https://msdn.microsoft.com/en-us/library/cc245680.aspx

Case 2: Which change password is proxied from RODC to PDC?
Is it expected that RODC should be able to proxy Kerberos change password to the RWDC?
Currently, Samba does proxy authentication, realm trust requests, but are not proxing any password change.

Case 3: Does a BadPwdCount reset also reset some UF flags or other attributes?
BadPwdCount is local. When it's reset, does it trigger a reset of some other replicable flags or attributes so that the user is not locked out elsewhere?

Case 4: Client behavior guidance of DRS_GET_TGT flag in GetNCChanges
The request is to provide clarity so that the server side can implement  DRS_GET_TGT poperly.
DRS_GET_TGT flag syncing particular link values.
Needs tag object clarification, when linked object is deleted, or not present, etc.
[MS-DRSR]
4.1.10 IDL_DRSGetNCChanges (Opnum 3)
https://msdn.microsoft.com/en-us/library/dd207691.aspx
4.1.10.5 Server Behavior of the IDL_DRSGetNCChanges Method
https://msdn.microsoft.com/en-us/library/dd207741.aspx
4.1.10.6 Client Behavior When Receiving the IDL_DRSGetNCChanges
https://msdn.microsoft.com/en-us/library/dd207757.aspx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20170530/916161e8/attachment-0001.html>


More information about the cifs-protocol mailing list