diff options
author | Michael Adam <obnox@samba.org> | 2010-01-20 17:54:40 +0100 |
---|---|---|
committer | Michael Adam <obnox@samba.org> | 2010-01-21 13:01:24 +0100 |
commit | fb4679638d03a555c722c08ee1de121fc8ff23f1 (patch) | |
tree | 9dec00065ddd137cdae13974bc55d9ae2f3ada60 | |
parent | 24d4433bd75366774945ed59c0043428dedea4ba (diff) | |
download | samba-fb4679638d03a555c722c08ee1de121fc8ff23f1.tar.gz samba-fb4679638d03a555c722c08ee1de121fc8ff23f1.tar.bz2 samba-fb4679638d03a555c722c08ee1de121fc8ff23f1.zip |
s4:rpc-server:samr: fix setting of lockout duration < lockout window
This should return NT_STATUS_INVALID_PARAMETER.
This makes samba pass the first part of the samr-lockout test.
This constraint is documented here for the samr server:
http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx
MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates
and here for the ldap backend:
http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx
MS-ADTS 3.1.1.5.3.2 Constraints
So the check should actually be moved down into the backend,
i.e. under dsdb/samdb/ldb_modules - TODO..
Michael
-rw-r--r-- | source4/rpc_server/samr/dcesrv_samr.c | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index 7de2377fe9..13955265b0 100644 --- a/source4/rpc_server/samr/dcesrv_samr.c +++ b/source4/rpc_server/samr/dcesrv_samr.c @@ -942,7 +942,28 @@ static NTSTATUS dcesrv_samr_SetDomainInfo(struct dcesrv_call_state *dce_call, TA return NT_STATUS_OK; case 12: - + /* + * It is not possible to set lockout_duration < lockout_window. + * (The test is the other way around since the negative numbers + * are stored...) + * + * TODO: + * This check should be moved to the backend, i.e. to some + * ldb module under dsdb/samdb/ldb_modules/ . + * + * This constraint is documented here for the samr rpc service: + * MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates + * http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx + * + * And here for the ldap backend: + * MS-ADTS 3.1.1.5.3.2 Constraints + * http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx + */ + if (r->in.info->info12.lockout_duration > + r->in.info->info12.lockout_window) + { + return NT_STATUS_INVALID_PARAMETER; + } SET_INT64 (msg, info12.lockout_duration, "lockoutDuration"); SET_INT64 (msg, info12.lockout_window, "lockOutObservationWindow"); SET_INT64 (msg, info12.lockout_threshold, "lockoutThreshold"); |