summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Adam <obnox@samba.org>2010-01-20 17:54:40 +0100
committerMichael Adam <obnox@samba.org>2010-01-21 13:01:24 +0100
commitfb4679638d03a555c722c08ee1de121fc8ff23f1 (patch)
tree9dec00065ddd137cdae13974bc55d9ae2f3ada60
parent24d4433bd75366774945ed59c0043428dedea4ba (diff)
downloadsamba-fb4679638d03a555c722c08ee1de121fc8ff23f1.tar.gz
samba-fb4679638d03a555c722c08ee1de121fc8ff23f1.tar.bz2
samba-fb4679638d03a555c722c08ee1de121fc8ff23f1.zip
s4:rpc-server:samr: fix setting of lockout duration < lockout window
This should return NT_STATUS_INVALID_PARAMETER. This makes samba pass the first part of the samr-lockout test. This constraint is documented here for the samr server: http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates and here for the ldap backend: http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx MS-ADTS 3.1.1.5.3.2 Constraints So the check should actually be moved down into the backend, i.e. under dsdb/samdb/ldb_modules - TODO.. Michael
-rw-r--r--source4/rpc_server/samr/dcesrv_samr.c23
1 files changed, 22 insertions, 1 deletions
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 7de2377fe9..13955265b0 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -942,7 +942,28 @@ static NTSTATUS dcesrv_samr_SetDomainInfo(struct dcesrv_call_state *dce_call, TA
return NT_STATUS_OK;
case 12:
-
+ /*
+ * It is not possible to set lockout_duration < lockout_window.
+ * (The test is the other way around since the negative numbers
+ * are stored...)
+ *
+ * TODO:
+ * This check should be moved to the backend, i.e. to some
+ * ldb module under dsdb/samdb/ldb_modules/ .
+ *
+ * This constraint is documented here for the samr rpc service:
+ * MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates
+ * http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx
+ *
+ * And here for the ldap backend:
+ * MS-ADTS 3.1.1.5.3.2 Constraints
+ * http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx
+ */
+ if (r->in.info->info12.lockout_duration >
+ r->in.info->info12.lockout_window)
+ {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
SET_INT64 (msg, info12.lockout_duration, "lockoutDuration");
SET_INT64 (msg, info12.lockout_window, "lockOutObservationWindow");
SET_INT64 (msg, info12.lockout_threshold, "lockoutThreshold");