(BTW, I think my other thread got lost, so I'm starting back from scratch here)
In 'MS-SAMR 3.1.5.14.11 User Field to Attribute Name Mapping' it says: *On read of UserAccountControl, the database attribute value MUST be: 1. Augmented with the UF_LOCKOUT bit if the lockoutTime attribute value on the target object is nonzero and if its value plus the Effective-LockoutDuration attribute value (section 3.1.1.5) is less than the current time. 2. Augmented with the UF_PASSWORD_EXPIRED if PasswordMustChange is less than the current time. However, testing (smbtorture's rpc.samr.passwords.lockout test shows that) only the UF_PASSWORD_EXPIRED bit shows via SAMR, the UF_LOCKOUT does not. That is, we get a STATUS_ACCOUNT_LOCKED_OUT without this flag being returned. In '3.1.5.14.6 Account Lockout State Maintenance' different rules appear to apply compared to MS-ADTS '3.1.1.4.5.17 msDS-User-Account-Control-Computed' The answers on these things matter to me, because I was trying to build the SAMR behaviour on the msDS-User-Account-Control-Computed behaviour. The MS-ADTS docs have regard for the account type, for example. Can you look into this, and assist me in understanding what rules are actually applied, and if these two calculations are deliberately out of sync? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
