From 44a624d6ce97078f93baf83f36737238363f788e Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 30 Oct 2013 14:09:15 +1300
Subject: [PATCH] s3-samr: Refuse to set lockout_duration < lockout_window per
 rpc.samr.passwords.lockout

This was not noticed previously because the test was not run.

Andrew Bartlett

Change-Id: I88701b6c3057ec26f44b3ccab4134ac9aabe552a
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source3/rpc_server/samr/srv_samr_nt.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index 48cfc7e12dc..5318ba2c8cc 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -6378,6 +6378,23 @@ static NTSTATUS set_dom_info_12(TALLOC_CTX *mem_ctx,
 {
 	time_t u_lock_duration, u_reset_time;
 
+	/*
+	 * It is not possible to set lockout_duration < lockout_window.
+	 * (The test is the other way around since the negative numbers
+	 *  are stored...)
+	 *
+	 * This constraint is documented here for the samr rpc service:
+	 * MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates
+	 * http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx
+	 *
+	 * And here for the ldap backend:
+	 * MS-ADTS 3.1.1.5.3.2 Constraints
+	 * http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx
+	 */
+	if (r->lockout_duration > r->lockout_window) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	u_lock_duration = nt_time_to_unix_abs((NTTIME *)&r->lockout_duration);
 	if (u_lock_duration != -1) {
 		u_lock_duration /= 60;
-- 
2.11.4.GIT