s3-samr: Refuse to set lockout_duration < lockout_window per rpc.samr.passwords.lockout

This was not noticed previously because the test was not run.

Andrew Bartlett

Change-Id: I88701b6c3057ec26f44b3ccab4134ac9aabe552a
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index 48cfc7e12dca3ff1c89106153db02294b01908ba..5318ba2c8cc05200a4405e9164429cda683ce749 100644 (file)
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -6378,6 +6378,23 @@ static NTSTATUS set_dom_info_12(TALLOC_CTX *mem_ctx,
 {
        time_t u_lock_duration, u_reset_time;
 
+       /*
+        * It is not possible to set lockout_duration < lockout_window.
+        * (The test is the other way around since the negative numbers
+        *  are stored...)
+        *
+        * This constraint is documented here for the samr rpc service:
+        * MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates
+        * http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx
+        *
+        * And here for the ldap backend:
+        * MS-ADTS 3.1.1.5.3.2 Constraints
+        * http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx
+        */
+       if (r->lockout_duration > r->lockout_window) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
        u_lock_duration = nt_time_to_unix_abs((NTTIME *)&r->lockout_duration);
        if (u_lock_duration != -1) {
                u_lock_duration /= 60;