s4:rpc-server:samr: fix setting of lockout duration < lockout window

This should return NT_STATUS_INVALID_PARAMETER.
This makes samba pass the first part of the samr-lockout test.

This constraint is documented here for the samr server:
http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx
MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates

and here for the ldap backend:
http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx
MS-ADTS 3.1.1.5.3.2 Constraints

So the check should actually be moved down into the backend,
i.e. under dsdb/samdb/ldb_modules - TODO..

Michael

diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 7de2377fe9e48a9418f66ea0b2b1b14d400c631e..13955265b07e4ff32d6db720576251cc4440a6a5 100644 (file)
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -942,7 +942,28 @@ static NTSTATUS dcesrv_samr_SetDomainInfo(struct dcesrv_call_state *dce_call, TA
                return NT_STATUS_OK;
 
        case 12:
-               
+               /*
+                * It is not possible to set lockout_duration < lockout_window.
+                * (The test is the other way around since the negative numbers
+                *  are stored...)
+                *
+                * TODO:
+                *   This check should be moved to the backend, i.e. to some
+                *   ldb module under dsdb/samdb/ldb_modules/ .
+                *
+                * This constraint is documented here for the samr rpc service:
+                * MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates
+                * http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx
+                *
+                * And here for the ldap backend:
+                * MS-ADTS 3.1.1.5.3.2 Constraints
+                * http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx
+                */
+               if (r->in.info->info12.lockout_duration >
+                   r->in.info->info12.lockout_window)
+               {
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
                SET_INT64  (msg, info12.lockout_duration,      "lockoutDuration");
                SET_INT64  (msg, info12.lockout_window,        "lockOutObservationWindow");
                SET_INT64  (msg, info12.lockout_threshold,     "lockoutThreshold");