[cifs-protocol] [REG:117052515795477]: Q3 of 4: Does a BadPwdCount reset also reset some UF flags or other attributes?

Garming Sam garming at catalyst.net.nz
Tue May 30 23:04:38 UTC 2017 

Thank you for your confirmation. It implies that RODCs can never undo a
domain-wide lockout, requiring an additional login on a read-write DC to
do so. This is probably more secure in general, but possibly not
intentional. Anyways, that's all the info I needed.


Cheers,

Garming


On 31/05/17 05:17, Nathan Manis wrote:
>
> Hi Andrew,
>
>  
>
> Writing for additional feedback to help.  The processing of
> ResetBadPwdCount implementation in Windows just resets BadPwdCount. 
> Here is the message:
>
> https://msdn.microsoft.com/en-us/library/dd357623.aspx
>
>  
>
>  
>
> Source code review confirmed this today as well.  The call just resets
> BadPwdCount to 0.
>
>  
>
>  
>
> Thanks,
>
> Nathan
>
>   
>
>  
>
> *From:* Nathan Manis
> *Sent:* Tuesday, May 30, 2017 11:57 AM
> *To:* abartlet at samba.org; cifs-protocol at lists.samba.org;
> garming at catalyst.net.nz
> *Cc:* MSSolve Case Email <casemail at microsoft.com>
> *Subject:* RE: [REG:117052515795477]: Q3 of 4: Does a BadPwdCount
> reset also reset some UF flags or other attributes?
>
>  
>
> Hi Andrew,
>
>  
>
> Thank you for contacting Microsoft Open Protocols support.  For the
> inquiry regarding BadPwdCount.
>
>  
>
> This is correct that the attribute is not replicated and is local. 
> What we can state on the specifics is documented here:
>
>  
>
> https://msdn.microsoft.com/en-us/library/ms675244%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
>
>  
>
> *Remarks*
>
> This attribute is not replicatedand is maintained separately on each
> domain controller in the domain.
>
> This attribute is reset on a specific domain controller when the user
> successfully logs onto that domain controller.
>
>  
>
>  
>
> Thanks,
>
> Nathan
>
>  
>
>  
>
>  
>
> *From:* Bryan Burgin
> *Sent:* Wednesday, May 24, 2017 10:11 PM
> *To:* abartlet at samba.org <mailto:abartlet at samba.org>;
> cifs-protocol at lists.samba.org <mailto:cifs-protocol at lists.samba.org>;
> garming at catalyst.net.nz <mailto:garming at catalyst.net.nz>
> *Cc:* MSSolve Case Email <casemail at microsoft.com
> <mailto:casemail at microsoft.com>>
> *Subject:* [REG:117052515795477]: Q3 of 4: Does a BadPwdCount reset
> also reset some UF flags or other attributes?
>
>  
>
> [dochelp on bcc]
>
> [+casemail]
>
>  
>
> Andrew,
>
>  
>
> Today we create four cases per your request.  This thread concerns
> issue Q3 of 4:
>
>  
>
> Case 3: Does a BadPwdCount reset also reset some UF flags or other
> attributes?
>
> BadPwdCount is local. When it's reset, does it trigger a reset of some
> other replicable flags or attributes so that the user is not locked
> out elsewhere?
>
>  
>
> An engineer will contact you about each of these issues on separate
> threads soon.
>
>  
>
> The other cases, to pull all the threads together, are specified below.
>
>  
>
> Bryan
>
>  
>
>  
>
> Q1: 117052515795450: WDigest package of supplementalCredentials attribute
>
> Q2: 117052515795463: Which change password is proxied from RODC to PDC?
>
> Q3: 117052515795477: Does a BadPwdCount reset also reset some UF flags
> or other attributes?
>
> Q4: 117052515795488: Client behavior guidance of DRS_GET_TGT flag in
> GetNCChanges
>
>  
>
>  
>
>  
>
> Case 1: WDigest package of supplementalCredentials attribute
>
> Documentation of pre-computation hash in WDigest property is wrong.
>
> Construction is inverted. Needs to fix the document.
>
> [MS-SAMR]
>
> 3.1.1.8.11.3 Primary:WDigest Property
>
> https://msdn.microsoft.com/en-us/library/cc245679.aspx
>
> 3.1.1.8.11.3.1 WDIGEST_CREDENTIALS Construction
>
> https://msdn.microsoft.com/en-us/library/cc245680.aspx
>
>  
>
> Case 2: Which change password is proxied from RODC to PDC?
>
> Is it expected that RODC should be able to proxy Kerberos change
> password to the RWDC?
>
> Currently, Samba does proxy authentication, realm trust requests, but
> are not proxing any password change.
>
>  
>
> Case 3: Does a BadPwdCount reset also reset some UF flags or other
> attributes?
>
> BadPwdCount is local. When it's reset, does it trigger a reset of some
> other replicable flags or attributes so that the user is not locked
> out elsewhere?
>
>  
>
> Case 4: Client behavior guidance of DRS_GET_TGT flag in GetNCChanges
>
> The request is to provide clarity so that the server side can
> implement  DRS_GET_TGT poperly.
>
> DRS_GET_TGT flag syncing particular link values.
>
> Needs tag object clarification, when linked object is deleted, or not
> present, etc.
>
> [MS-DRSR]
>
> 4.1.10 IDL_DRSGetNCChanges (Opnum 3)
>
> https://msdn.microsoft.com/en-us/library/dd207691.aspx
>
> 4.1.10.5 Server Behavior of the IDL_DRSGetNCChanges Method
>
> https://msdn.microsoft.com/en-us/library/dd207741.aspx
>
> 4.1.10.6 Client Behavior When Receiving the IDL_DRSGetNCChanges
>
> https://msdn.microsoft.com/en-us/library/dd207757.aspx
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20170531/e6f7010c/attachment-0001.html>

More information about the cifs-protocol mailing list