diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2013-10-30 14:09:15 +1300 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2014-04-02 17:12:45 +0200 |
| commit | 44a624d6ce97078f93baf83f36737238363f788e (patch) | |
| tree | d1daec21d37ebabe4122523c632537deb6532aa8 | |
| parent | 1dba07db0d3d511ce7c3a10ad3c2e3d0994615dd (diff) | |
| download | samba-44a624d6ce97078f93baf83f36737238363f788e.tar.gz samba-44a624d6ce97078f93baf83f36737238363f788e.tar.xz samba-44a624d6ce97078f93baf83f36737238363f788e.zip | |
s3-samr: Refuse to set lockout_duration < lockout_window per rpc.samr.passwords.lockout
This was not noticed previously because the test was not run.
Andrew Bartlett
Change-Id: I88701b6c3057ec26f44b3ccab4134ac9aabe552a
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
| -rw-r--r-- | source3/rpc_server/samr/srv_samr_nt.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c index 48cfc7e12d..5318ba2c8c 100644 --- a/source3/rpc_server/samr/srv_samr_nt.c +++ b/source3/rpc_server/samr/srv_samr_nt.c @@ -6378,6 +6378,23 @@ static NTSTATUS set_dom_info_12(TALLOC_CTX *mem_ctx, { time_t u_lock_duration, u_reset_time; + /* + * It is not possible to set lockout_duration < lockout_window. + * (The test is the other way around since the negative numbers + * are stored...) + * + * This constraint is documented here for the samr rpc service: + * MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates + * http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx + * + * And here for the ldap backend: + * MS-ADTS 3.1.1.5.3.2 Constraints + * http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx + */ + if (r->lockout_duration > r->lockout_window) { + return NT_STATUS_INVALID_PARAMETER; + } + u_lock_duration = nt_time_to_unix_abs((NTTIME *)&r->lockout_duration); if (u_lock_duration != -1) { u_lock_duration /= 60; |