Andrew, This got transferred to me and I will be assisting you on this issue. Let's me review this and follow-up.
Thanks, Edgar -----Original Message----- From: Andrew Bartlett [mailto:[email protected]] Sent: Thursday, October 24, 2013 5:53 PM To: Sebastian Canevari Cc: [email protected] Subject: Re: [cifs-protocol] Where is account lockout and password expiry described in the docs? On Fri, 2013-10-25 at 10:50 +1300, Andrew Bartlett wrote: > On Fri, 2013-10-25 at 09:26 +1300, Andrew Bartlett wrote: > > On Thu, 2013-10-24 at 20:16 +0000, Sebastian Canevari wrote: > > > Hi Andrew, > > > > > > Do you need further assistance from my end? > > > > I do. I was waiting on: > > > > > > As soon as I have answers or questions I'll let you know. > > > > > > Thanks. Please also include the details for how this happens in Kerberos, not just for NTLM, as I strongly suspect the semantics have subtle differences, particularly in forwarding. > > > > There is still no clear document explaining how this is handled for > > Kerberos, and nothing that clearly describes how a NetLogon SamLogon > > translates into a badPwdCount update. > > > > I was waiting for those docs before proceeding, to avoid rework. > > I'm also wanting clarification on the UF_LOCKOUT flag in > msDS-User-Account-Control-Computed and userAccountControl > > It appears that msDS-User-Account-Control-Computed should be referred > to by SAMR, as the source of the lockout algorithm, but there no > reference from MS-SAMR to this attribute. > > Indeed, it is unclear how UF_LOCKOUT and UF_PASSWORD_EXPIRED is to > behave, as 3.1.1.6 (18) bans this bit, but in: > > 3.1.1.8.10 > userAccountControl > 1. If the UF_LOCKOUT bit (section 2.2.1.13) is set and the lockoutTime > attribute is nonzero, the lockoutTime attribute MUST be updated to a > value of zero. > > This implies that it can be set in userAccountControl. Also, the > sense here seems backwards, surely clearing the bit sets lockoutTime to zero? > > Also it says: > > 2. The following bits, if set, MUST be unset before committing the > transaction: UF_LOCKOUT and > UF_PASSWORD_EXPIRED. > > This further confuses me as to if these are computed or stored flags > (I'm assuming computed). > > This is the kind of level of detail I need in this area. Additionally, as I'll need to implement the ms-DS-User-Account-Control-Computed attribute, how do I implement 0x4000000 UF_PARTIAL_SECRETS_ACCOUNT 0x8000000 UF_USE_AES_KEYS Because these are not included in MS-ADTS 3.1.1.4.5.17 msDS-User-Account-Control-Computed Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
