mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
s4:rpc-server:samr: fix setting of lockout duration < lockout window
This should return NT_STATUS_INVALID_PARAMETER. This makes samba pass the first part of the samr-lockout test. This constraint is documented here for the samr server: http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates and here for the ldap backend: http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx MS-ADTS 3.1.1.5.3.2 Constraints So the check should actually be moved down into the backend, i.e. under dsdb/samdb/ldb_modules - TODO.. Michael
This commit is contained in:
parent
24d4433bd7
commit
fb4679638d
@ -942,7 +942,28 @@ static NTSTATUS dcesrv_samr_SetDomainInfo(struct dcesrv_call_state *dce_call, TA
|
||||
return NT_STATUS_OK;
|
||||
|
||||
case 12:
|
||||
|
||||
/*
|
||||
* It is not possible to set lockout_duration < lockout_window.
|
||||
* (The test is the other way around since the negative numbers
|
||||
* are stored...)
|
||||
*
|
||||
* TODO:
|
||||
* This check should be moved to the backend, i.e. to some
|
||||
* ldb module under dsdb/samdb/ldb_modules/ .
|
||||
*
|
||||
* This constraint is documented here for the samr rpc service:
|
||||
* MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates
|
||||
* http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx
|
||||
*
|
||||
* And here for the ldap backend:
|
||||
* MS-ADTS 3.1.1.5.3.2 Constraints
|
||||
* http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx
|
||||
*/
|
||||
if (r->in.info->info12.lockout_duration >
|
||||
r->in.info->info12.lockout_window)
|
||||
{
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
SET_INT64 (msg, info12.lockout_duration, "lockoutDuration");
|
||||
SET_INT64 (msg, info12.lockout_window, "lockOutObservationWindow");
|
||||
SET_INT64 (msg, info12.lockout_threshold, "lockoutThreshold");
|
||||
|
Loading…
Reference in New Issue
Block a user