> The ticket is about "SSSD should be about to display message to the user when the account in Active Directory is 'locked out'" If the string is not standardized among AD versions than this ticket is NOT solved.

>> Could you add link to msdn documentation where it is described that this string >> is guaranted to be returned in such case? > > It's not MSDN, but: > http://www-01.ibm.com/support/docview.wss?uid=swg21290631 I would prefer official documantation (msdn) in code ar at least in commit message.

On Mon, Feb 08, 2016 at 10:34:16AM +0100, Pavel Reichl wrote: > > > On 02/05/2016 03:16 PM, Lukas Slebodnik wrote: > >> > >The ticket is about "SSSD should be about to display message to the user when > >the account in Active Directory is 'locked out'" > > > >If the string is not standardized among AD versions > >than this ticket is NOT solved. > > So what do you propose? Rename ticket to contain version of tested AD? Or should we say user that although we have fix that would work for him it might not work for all AD versions so we won't provide it? It would be nice to mention what we tested with in the commit message. > > Can we ask our QA to test on all AD version they can lay their hands on? Yes, I think we can test 2012 and 2008. Probably not worth testing 2003 anymore.

On (08/02/16 12:12), Lukas Slebodnik wrote: >On (08/02/16 10:48), Jakub Hrozek wrote: >>On Mon, Feb 08, 2016 at 10:34:16AM +0100, Pavel Reichl wrote: >>> >>> >>> On 02/05/2016 03:16 PM, Lukas Slebodnik wrote: >>> >> >>> >The ticket is about "SSSD should be about to display message to the user when >>> >the account in Active Directory is 'locked out'" >>> > >>> >If the string is not standardized among AD versions >>> >than this ticket is NOT solved. >>> >>> So what do you propose? Rename ticket to contain version of tested AD? Or should we say user that although we have fix that would work for him it might not work for all AD versions so we won't provide it? >> >>It would be nice to mention what we tested with in the commit message. >> >>> >>> Can we ask our QA to test on all AD version they can lay their hands on? >> >>Yes, I think we can test 2012 and 2008. Probably not worth testing 2003 >>anymore. >> >If you have an access to such machines it would be good to test. >I do not have licences :-(. > >We *might* check with samba AD. >It needn't work therefore it should not be a blocker for this patch. >But we had some samba AD specific crashed in past which would be good to avoid. > >Or just check samba source code whether it has such string in code. > I checked the samba source code and it looks like there can be zeros before 775 libcli/util/werror.h:#define WERR_ACCOUNT_LOCKED_OUT W_ERROR(0x00000775) source4/dsdb/tests/python/password_lockout.py: self.assertTrue('00000775' in msg) source4/dsdb/tests/python/password_lockout.py: self.assertTrue('00000775' in msg) source4/dsdb/tests/python/password_lockout.py: self.assertTrue('0000775' in msg) source4/dsdb/tests/python/password_lockout.py: self.assertTrue('0000775' in msg) source4/dsdb/tests/python/password_lockout.py: self.assertTrue('0000775' in msg) source4/dsdb/tests/python/password_lockout.py: self.assertTrue('00000775' in msg) source4/dsdb/tests/python/password_lockout.py: self.assertTrue('00000775' in msg) source4/dsdb/tests/python/password_lockout.py: self.assertTrue('0000775' in msg)

On (08/02/16 17:18), Sumit Bose wrote:

Agree. I wrote in my previous mail that samab shoudl not be a blocker. But we should not crash with samba in any case.

On 02/08/2016 10:48 AM, Jakub Hrozek wrote: >On Mon, Feb 08, 2016 at 10:34:16AM +0100, Pavel Reichl wrote: >> >> >>On 02/05/2016 03:16 PM, Lukas Slebodnik wrote: >>>> >>>The ticket is about "SSSD should be about to display message to the user when >>>the account in Active Directory is 'locked out'" >>> >>>If the string is not standardized among AD versions >>>than this ticket is NOT solved. >> >>So what do you propose? Rename ticket to contain version of tested AD? Or should we say user that although we have fix that would work for him it might not work for all AD versions so we won't provide it? > >It would be nice to mention what we tested with in the commit message. OK, done. > >> >>Can we ask our QA to test on all AD version they can lay their hands on? > >Yes, I think we can test 2012 and 2008. Probably not worth testing 2003 >anymore. > I updated the relevant BZ.

From 5a4ca73e16e4eec023108387cd8c572c34496e9b Mon Sep 17 00:00:00 2001 From: Pavel Reichl <preichl(a)redhat.com&gt; Date: Fri, 5 Feb 2016 07:27:38 -0500 Subject: [PATCH 1/2] SDAP: Add return code ERR_ACCOUNT_LOCKED Add code to distinquish state when account is locked in Active Directory server. Tested against Windows Server 2012

On Tue, Feb 09, 2016 at 08:09:33AM +0100, Lukas Slebodnik wrote: > On (08/02/16 13:56), Pavel Reichl wrote: > >On 02/08/2016 10:48 AM, Jakub Hrozek wrote: > >>On Mon, Feb 08, 2016 at 10:34:16AM +0100, Pavel Reichl wrote: > >>> > >>> > >>>On 02/05/2016 03:16 PM, Lukas Slebodnik wrote: > >>>>> > >>>>The ticket is about "SSSD should be about to display message to the user when > >>>>the account in Active Directory is 'locked out'" > >>>> > >>>>If the string is not standardized among AD versions > >>>>than this ticket is NOT solved. > >>> > >>>So what do you propose? Rename ticket to contain version of tested AD? Or should we say user that although we have fix that would work for him it might not work for all AD versions so we won't provide it? > >> > >>It would be nice to mention what we tested with in the commit message. > > > >OK, done. > > > >> > >>> > >>>Can we ask our QA to test on all AD version they can lay their hands on? > >> > >>Yes, I think we can test 2012 and 2008. Probably not worth testing 2003 > >>anymore. > >> > > > >I updated the relevant BZ. > > >From 5a4ca73e16e4eec023108387cd8c572c34496e9b Mon Sep 17 00:00:00 2001 > >From: Pavel Reichl <preichl(a)redhat.com&gt; > >Date: Fri, 5 Feb 2016 07:27:38 -0500 > >Subject: [PATCH 1/2] SDAP: Add return code ERR_ACCOUNT_LOCKED > > > >Add code to distinquish state when account is locked in Active > >Directory server. > > > >Tested against Windows Server 2012 > > > Thank you very much for testing. I really appreciate it. > It would be enought to test with one kind of AD if we planned > to push the patch only to master branch. > > However there is a plan to push it also to stable branch. > It would be good to test with more versions. > We kind of suport few version of AD. > /* Values from > * http://msdn.microsoft.com/en-us/library/cc223272%28v=prot.13%29.aspx > */ > enum dc_functional_level { > DS_BEHAVIOR_WIN2000 = 0, > DS_BEHAVIOR_WIN2003 = 2, > DS_BEHAVIOR_WIN2008 = 3, > DS_BEHAVIOR_WIN2008R2 = 4, > DS_BEHAVIOR_WIN2012 = 5, > DS_BEHAVIOR_WIN2012R2 = 6 > }; > > If we are not bale to find the behaviour in the MSDN documentation > then we should do upstream first testing and do not rely on later testing > of patches in stable branch. I don't think we should put any effort into testing server versions that are not supported by Microsoft anymore. That would be like testing IPA features with IPA 2.x..

On (09/02/16 08:15), Jakub Hrozek wrote: >On Tue, Feb 09, 2016 at 08:09:33AM +0100, Lukas Slebodnik wrote: >> On (08/02/16 13:56), Pavel Reichl wrote: >> >On 02/08/2016 10:48 AM, Jakub Hrozek wrote: >> >>On Mon, Feb 08, 2016 at 10:34:16AM +0100, Pavel Reichl wrote: >> >>> >> >>> >> >>>On 02/05/2016 03:16 PM, Lukas Slebodnik wrote: >> >>>>> >> >>>>The ticket is about "SSSD should be about to display message to the user when >> >>>>the account in Active Directory is 'locked out'" >> >>>> >> >>>>If the string is not standardized among AD versions >> >>>>than this ticket is NOT solved. >> >>> >> >>>So what do you propose? Rename ticket to contain version of tested AD? Or should we say user that although we have fix that would work for him it might not work for all AD versions so we won't provide it? >> >> >> >>It would be nice to mention what we tested with in the commit message. >> > >> >OK, done. >> > >> >> >> >>> >> >>>Can we ask our QA to test on all AD version they can lay their hands on? >> >> >> >>Yes, I think we can test 2012 and 2008. Probably not worth testing 2003 >> >>anymore. >> >> >> > >> >I updated the relevant BZ. >> >> >From 5a4ca73e16e4eec023108387cd8c572c34496e9b Mon Sep 17 00:00:00 2001 >> >From: Pavel Reichl <preichl(a)redhat.com&gt; >> >Date: Fri, 5 Feb 2016 07:27:38 -0500 >> >Subject: [PATCH 1/2] SDAP: Add return code ERR_ACCOUNT_LOCKED >> > >> >Add code to distinquish state when account is locked in Active >> >Directory server. >> > >> >Tested against Windows Server 2012 >> > >> Thank you very much for testing. I really appreciate it. >> It would be enought to test with one kind of AD if we planned >> to push the patch only to master branch. >> >> However there is a plan to push it also to stable branch. >> It would be good to test with more versions. >> We kind of suport few version of AD. >> /* Values from >> * http://msdn.microsoft.com/en-us/library/cc223272%28v=prot.13%29.aspx >> */ >> enum dc_functional_level { >> DS_BEHAVIOR_WIN2000 = 0, >> DS_BEHAVIOR_WIN2003 = 2, >> DS_BEHAVIOR_WIN2008 = 3, >> DS_BEHAVIOR_WIN2008R2 = 4, >> DS_BEHAVIOR_WIN2012 = 5, >> DS_BEHAVIOR_WIN2012R2 = 6 >> }; >> >> If we are not bale to find the behaviour in the MSDN documentation >> then we should do upstream first testing and do not rely on later testing >> of patches in stable branch. > >I don't think we should put any effort into testing server versions that >are not supported by Microsoft anymore. That would be like testing IPA >features with IPA 2.x.. I didn't ask to test all version. I asked to test *MORE* versions. e.g. >= 2008

On 02/05/2016 03:16 PM, Lukas Slebodnik wrote: >> >The ticket is about "SSSD should be about to display message to the user when >the account in Active Directory is 'locked out'" > >If the string is not standardized among AD versions >than this ticket is NOT solved. So what do you propose? Rename ticket to contain version of tested AD? Or should we say user that although we have fix that would work for him it might not work for all AD versions so we won't provide it? Can we ask our QA to test on all AD version they can lay their hands on? > >>>Could you add link to msdn documentation where it is described that this string >>>is guaranted to be returned in such case? >> >>It's not MSDN, but: >> http://www-01.ibm.com/support/docview.wss?uid=swg21290631 >I would prefer official documantation (msdn) in code ar at least in >commit message. We don't have any and it's possible it's not publicly documented.

On Mon, 08 Feb 2016, Sumit Bose wrote: >On Mon, Feb 08, 2016 at 10:34:16AM +0100, Pavel Reichl wrote: >> >> >>On 02/05/2016 03:16 PM, Lukas Slebodnik wrote: >>>> >>>The ticket is about "SSSD should be about to display message to the user when >>>the account in Active Directory is 'locked out'" >>> >>>If the string is not standardized among AD versions >>>than this ticket is NOT solved. >> >>So what do you propose? Rename ticket to contain version of tested >>AD? Or should we say user that although we have fix that would work >>for him it might not work for all AD versions so we won't provide it? >> >>Can we ask our QA to test on all AD version they can lay their hands on? >> >>> >>>>>Could you add link to msdn documentation where it is described that this string >>>>>is guaranted to be returned in such case? >>>> >>>>It's not MSDN, but: >>>> http://www-01.ibm.com/support/docview.wss?uid=swg21290631 >>>I would prefer official documantation (msdn) in code ar at least in >>>commit message. >> >>We don't have any and it's possible it's not publicly documented. > >The '755' in the message is a specific error code of some AD >calls which can be seen by the link Dan send. So I guess this will not >change. > >While I can make sense of some part of the remaining error string (yes, >it is just a string send with the LDAP bind response) I didn't found any >general description of the format and the components of the error string >on the MSFT sites. You should use error code 0x80090308, SEC_E_INVALID_TOKEN. The 80090308 should be in the error string and this is what you have to compare against. https://social.msdn.microsoft.com/Forums/en-US/e1d600c8-60b7-4ed0-94cb-20... ----------------------------------------------------------------------- Regarding the references in MS-ADTS on how account lockout policy is applied on Bind requests, I reported this as a document bug to the product team to request references being added. For LDAP errors returned by the server on a Simple Bind when the account is locked, the error is the same as if the Bind provided a wrong password. Windows Active Directory returns the LDAP error invalidCredentials. LDAP Bind Response error codes are documented in RFC2251 4.2.3.. Examples of errors are operationsError , strongAuthRequired, inappropriateAuthentication, invalidCredentials, unavailable. RFC2251 4.2.3. Bind Response - invalidCredentials: the wrong password was supplied or the SASL credentials could not be processed. The extended error information looks like this: ----------- res = ldap_simple_bind_s(ld, 'contoso3\user1', <unavailable>); // v.3 Error <49>: ldap_simple_bind_s() failed: Invalid Credentials Server error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db0 Error 0x80090308 The token supplied to the function is invalid ----------- MS-ERREF 0x80090308 SEC_E_INVALID_TOKEN The token supplied to the function is invalid. The product team will be reflecting this in a future refresh of the MS-ADTS document. ----------------------------------------------------------------------- >Alexander, do you think it would make sense to ask MSFT to enhance the >documentation of the LDAP error message format? And if yes, is sending >an email to dochelp(a)microsoft.com sufficient or this there a more >elaborate process? I'll check with Edgar on why this piece is still missing from MS-ADTS five years after. ;)

Hi Alexander, thank you for reaching out to MSFT for enhancing the docs. But I'm afraid just checking for 80090308 is not sufficient as you can see from http://www-01.ibm.com/support/docview.wss?uid=swg21290631 . The value behind the 'data' string is really important to find out the real reason for the denial. The values themselve like (0x)701, (0x)773 or (0x)775 are documented as well (although I do not have the link at hand). But

On Wed, Feb 10, 2016 at 10:45:39AM +0200, Alexander Bokovoy wrote: > On Wed, 10 Feb 2016, Alexander Bokovoy wrote: > >On Mon, 08 Feb 2016, Sumit Bose wrote: > >>On Mon, Feb 08, 2016 at 10:34:16AM +0100, Pavel Reichl wrote: > >>> > >>> > >>>On 02/05/2016 03:16 PM, Lukas Slebodnik wrote: > >>>>> > >>>>The ticket is about "SSSD should be about to display message to the user when > >>>>the account in Active Directory is 'locked out'" > >>>> > >>>>If the string is not standardized among AD versions > >>>>than this ticket is NOT solved. > >>> > >>>So what do you propose? Rename ticket to contain version of tested > >>>AD? Or should we say user that although we have fix that would work > >>>for him it might not work for all AD versions so we won't provide it? > >>> > >>>Can we ask our QA to test on all AD version they can lay their hands on? > >>> > >>>> > >>>>>>Could you add link to msdn documentation where it is described that this string > >>>>>>is guaranted to be returned in such case? > >>>>> > >>>>>It's not MSDN, but: > >>>>> http://www-01.ibm.com/support/docview.wss?uid=swg21290631 > >>>>I would prefer official documantation (msdn) in code ar at least in > >>>>commit message. > >>> > >>>We don't have any and it's possible it's not publicly documented. > >> > >>The '755' in the message is a specific error code of some AD > >>calls which can be seen by the link Dan send. So I guess this will not > >>change. > >> > >>While I can make sense of some part of the remaining error string (yes, > >>it is just a string send with the LDAP bind response) I didn't found any > >>general description of the format and the components of the error string > >>on the MSFT sites. > >You should use error code 0x80090308, SEC_E_INVALID_TOKEN. The 80090308 > >should be in the error string and this is what you have to compare > >against. > > > >https://social.msdn.microsoft.com/Forums/en-US/e1d600c8-60b7-4ed0-94cb-20ddd6c1a1c6/msadts-user-locking-password-policies?forum=os_windowsprotocols > >----------------------------------------------------------------------- > >Regarding the references in MS-ADTS on how account lockout policy is > >applied on Bind requests, I reported this as a document bug to the > >product team to request references being added. > > > >For LDAP errors returned by the server on a Simple Bind when the account > >is locked, the error is the same as if the Bind provided a wrong > >password. Windows Active Directory returns the LDAP error > >invalidCredentials. > > > >LDAP Bind Response error codes are documented in RFC2251 4.2.3.. > >Examples of errors are operationsError , strongAuthRequired, > >inappropriateAuthentication, invalidCredentials, unavailable. > > > >RFC2251 > >4.2.3. Bind Response > >- invalidCredentials: the wrong password was supplied or the SASL > > credentials could not be processed. > >The extended error information looks like this: > >----------- > >res = ldap_simple_bind_s(ld, 'contoso3\user1', <unavailable>); // v.3 > >Error <49>: ldap_simple_bind_s() failed: Invalid Credentials > >Server error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db0 > >Error 0x80090308 The token supplied to the function is invalid > >----------- > > > >MS-ERREF > >0x80090308 SEC_E_INVALID_TOKEN The token supplied to the function is > >invalid. > > > >The product team will be reflecting this in a future refresh of the > >MS-ADTS document. > >----------------------------------------------------------------------- > > > >>Alexander, do you think it would make sense to ask MSFT to enhance the > >>documentation of the LDAP error message format? And if yes, is sending > >>an email to dochelp(a)microsoft.com sufficient or this there a more > >>elaborate process? > >I'll check with Edgar on why this piece is still missing from MS-ADTS > >five years after. ;) > So I re-read MS-ADTS and section 3.1.1.3.1.9 "Error Message Strings" > has all the information: > ----------------------------------------------------------------------- > When the server fails an LDAP operation with an error, and the server > has sufficient resources to compute a string value for the errorMessage > field of the LDAPResult, it includes a string in the errorMessage field > of the LDAPResult (see [RFC2251] section 4.1.10). The string contains > further information about the error. > > The first eight characters of the errorMessage string are a 32-bit > integer, expressed in hexadecimal. Where protocol specifies the extended > error code "<unrestricted>" there is no restriction on the value of the > 32-bit integer. It is recommended that implementations use a Windows > error code for the 32-bit integer in this case in order to improve > usability of the directory for clients. Where protocol specifies an > extended error code which is a Windows error code, the 32- bit integer > is the specified Windows error code. Any data after the eighth character > is strictly informational and used only for debugging. Conformant > implementations need not put any value beyond the eighth character of > the errorMessage field. > ------------------------------------------------------------------------ > > So, my comment stands: check for "80090308" in the beginning of > errorMessage string. Hi Alexander, thank you for reaching out to MSFT for enhancing the docs. But I'm afraid just checking for 80090308 is not sufficient as you can see from http://www-01.ibm.com/support/docview.wss?uid=swg21290631 . The value behind the 'data' string is really important to find out the real reason for the denial. The values themselve like (0x)701, (0x)773 or (0x)775 are documented as well (although I do not have the link at hand). But since getting those values requires to parse the string it would be nice to get some official details about the string.

>>since getting those values requires to parse the string it would be nice >>to get some official details about the string. >Well, the string content after DSID-<number> mark can be completely >missing while the hex of the code (80090308) will be there. > >The presence of "DSID-<number> ..." error message is regulated by >ulHideDSID character of the dsHeuristics attribute (MS-ADTS >6.1.1.2.4.1.2). So you can have Active Directory where DSID-<number> >string is completely missing but Win32 code for the error is there. > Alexander thanks for looking into this, but what we need is to distinguish between reasons for invalid credentials. e.g. Bind result: Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 773, v23f0 Bind result: Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 775, v23f0

On 02/10/2016 11:06 AM, Alexander Bokovoy wrote: >On Wed, 10 Feb 2016, Pavel Reichl wrote: >>>>since getting those values requires to parse the string it would be nice >>>>to get some official details about the string. >>>Well, the string content after DSID-<number> mark can be completely >>>missing while the hex of the code (80090308) will be there. >>> >>>The presence of "DSID-<number> ..." error message is regulated by >>>ulHideDSID character of the dsHeuristics attribute (MS-ADTS >>>6.1.1.2.4.1.2). So you can have Active Directory where DSID-<number> >>>string is completely missing but Win32 code for the error is there. >>> >> >>Alexander thanks for looking into this, but what we need is to >>distinguish between reasons for invalid credentials. >> >>e.g. >>Bind result: Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 773, v23f0 >>Bind result: Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 775, v23f0 >As I said, you should not rely on the information being available to you >as it might be disabled completely by the AD administrators in >ndsHeuristics attribute. > >What are you going to do when ulHideDSID flag is set to 1? The ticket is about providing extra info to user if account is locked. If we can't decide, we return generic access denied and generic message. Best afford attitude is fine here...IMO.

On 02/10/2016 11:46 AM, Alexander Bokovoy wrote: >On Wed, 10 Feb 2016, Pavel Reichl wrote: >> >> >>On 02/10/2016 11:06 AM, Alexander Bokovoy wrote: >>>On Wed, 10 Feb 2016, Pavel Reichl wrote: >>>>>>since getting those values requires to parse the string it would be nice >>>>>>to get some official details about the string. >>>>>Well, the string content after DSID-<number> mark can be completely >>>>>missing while the hex of the code (80090308) will be there. >>>>> >>>>>The presence of "DSID-<number> ..." error message is regulated by >>>>>ulHideDSID character of the dsHeuristics attribute (MS-ADTS >>>>>6.1.1.2.4.1.2). So you can have Active Directory where DSID-<number> >>>>>string is completely missing but Win32 code for the error is there. >>>>> >>>> >>>>Alexander thanks for looking into this, but what we need is to >>>>distinguish between reasons for invalid credentials. >>>> >>>>e.g. >>>>Bind result: Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 773, v23f0 >>>>Bind result: Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 775, v23f0 >>>As I said, you should not rely on the information being available to you >>>as it might be disabled completely by the AD administrators in >>>ndsHeuristics attribute. >>> >>>What are you going to do when ulHideDSID flag is set to 1? >>The ticket is about providing extra info to user if account is locked. >>If we can't decide, we return generic access denied and generic >>message. Best afford attitude is fine here...IMO. >That's fine but please add documentation about the behavior into the >commit message so that we would have this discussion recorded somehow. > OK, would this: """ This patch is best effort only as decision whether account is actually locked is based on parsing error message returned by AD. The format and content of this error message might be subject of change in future releases and also can be modified by AD administrators. """ appended to the commit message of the first patch work for you?

On 02/10/2016 02:34 PM, Alexander Bokovoy wrote: > On Wed, 10 Feb 2016, Pavel Reichl wrote: >> >> >> On 02/10/2016 11:46 AM, Alexander Bokovoy wrote: >>> On Wed, 10 Feb 2016, Pavel Reichl wrote: >>>> >>>> >>>> On 02/10/2016 11:06 AM, Alexander Bokovoy wrote: >>>>> On Wed, 10 Feb 2016, Pavel Reichl wrote: >>>>>>>> since getting those values requires to parse the string it would be >>>>>>>> nice >>>>>>>> to get some official details about the string. >>>>>>> Well, the string content after DSID-<number> mark can be completely >>>>>>> missing while the hex of the code (80090308) will be there. >>>>>>> >>>>>>> The presence of "DSID-<number> ..." error message is regulated by >>>>>>> ulHideDSID character of the dsHeuristics attribute (MS-ADTS >>>>>>> 6.1.1.2.4.1.2). So you can have Active Directory where DSID-<number> >>>>>>> string is completely missing but Win32 code for the error is there. >>>>>>> >>>>>> >>>>>> Alexander thanks for looking into this, but what we need is to >>>>>> distinguish between reasons for invalid credentials. >>>>>> >>>>>> e.g. >>>>>> Bind result: Invalid credentials(49), 80090308: LdapErr: >>>>>> DSID-0C0903C5, comment: AcceptSecurityContext error, data 773, v23f0 >>>>>> Bind result: Invalid credentials(49), 80090308: LdapErr: >>>>>> DSID-0C0903C5, comment: AcceptSecurityContext error, data 775, v23f0 >>>>> As I said, you should not rely on the information being available to >>>>> you >>>>> as it might be disabled completely by the AD administrators in >>>>> ndsHeuristics attribute. >>>>> >>>>> What are you going to do when ulHideDSID flag is set to 1? >>>> The ticket is about providing extra info to user if account is locked. >>>> If we can't decide, we return generic access denied and generic >>>> message. Best afford attitude is fine here...IMO. >>> That's fine but please add documentation about the behavior into the >>> commit message so that we would have this discussion recorded somehow. >>> >> >> OK, would this: >> >> """ >> This patch is best effort only as decision whether account is actually >> locked is based on parsing error message returned by AD. The format and >> content of this error message might be subject of change in future >> releases and also can be modified by >> AD administrators. >> """ >> >> appended to the commit message of the first patch work for you? > Please refer to specific parts of MS-ADTS I've mentioned. OK Alexander, would following work as commit message for you? This patch is best effort only as decision whether account is actually locked is based on parsing error message returned by AD. The format and content of this error message might be subject of change in future releases and also can be modified by AD administrators. If account is locked bind operation is expected to return following error message: ------------------------------------------------------------------------- Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 775, v23f0 ------------------------------------------------------------------------- Where sub string 'data 775' implies that account is locked (ERROR_ACCOUNT_LOCKED_OUT) [1]. However the 80090308 (error code 0x80090308, SEC_E_INVALID_TOKEN) is the only guaranteed part of error string [2]. Error message is described in further detail as [3]: ------------------------------------------------------------------------- When the server fails an LDAP operation with an error, and the server has sufficient resources to compute a string value for the errorMessage field of the LDAPResult, it includes a string in the errorMessage field of the LDAPResult (see [RFC2251] section 4.1.10). The string contains further information about the error. The first eight characters of the errorMessage string are a 32-bit integer, expressed in hexadecimal. Where protocol specifies the extended error code "<unrestricted>" there is no restriction on the value of the 32-bit integer. It is recommended that implementations use a Windows error code for the 32-bit integer in this case in order to improve usability of the directory for clients. Where protocol specifies an extended error code which is a Windows error code, the 32-bit integer is the specified Windows error code. Any data after the eighth character is strictly informational and used only for debugging. Conformant implementations need not put any value beyond the eighth character of the errorMessage field. ------------------------------------------------------------------------- [1] https://msdn.microsoft.com/en-us/library/windows/desktop/ms681386%28v=vs.... [2] https://social.msdn.microsoft.com/Forums/en-US/e1d600c8-60b7-4ed0-94cb-20... [3] MS-ADTS 3.1.1.3.1.9 https://msdn.microsoft.com/en-us/library/cc223253.aspx

On (11/02/16 15:30), Alexander Bokovoy wrote: > ----- Original Message ----- >> On 02/10/2016 02:34 PM, Alexander Bokovoy wrote: >>> On Wed, 10 Feb 2016, Pavel Reichl wrote: >>>> >>>> >>>> On 02/10/2016 11:46 AM, Alexander Bokovoy wrote: >>>>> On Wed, 10 Feb 2016, Pavel Reichl wrote: >>>>>> >>>>>> >>>>>> On 02/10/2016 11:06 AM, Alexander Bokovoy wrote: >>>>>>> On Wed, 10 Feb 2016, Pavel Reichl wrote: >>>>>>>>>> since getting those values requires to parse the string it would be >>>>>>>>>> nice >>>>>>>>>> to get some official details about the string. >>>>>>>>> Well, the string content after DSID-<number> mark can be completely >>>>>>>>> missing while the hex of the code (80090308) will be there. >>>>>>>>> >>>>>>>>> The presence of "DSID-<number> ..." error message is regulated by >>>>>>>>> ulHideDSID character of the dsHeuristics attribute (MS-ADTS >>>>>>>>> 6.1.1.2.4.1.2). So you can have Active Directory where DSID-<number> >>>>>>>>> string is completely missing but Win32 code for the error is there. >>>>>>>>> >>>>>>>> >>>>>>>> Alexander thanks for looking into this, but what we need is to >>>>>>>> distinguish between reasons for invalid credentials. >>>>>>>> >>>>>>>> e.g. >>>>>>>> Bind result: Invalid credentials(49), 80090308: LdapErr: >>>>>>>> DSID-0C0903C5, comment: AcceptSecurityContext error, data 773, v23f0 >>>>>>>> Bind result: Invalid credentials(49), 80090308: LdapErr: >>>>>>>> DSID-0C0903C5, comment: AcceptSecurityContext error, data 775, v23f0 >>>>>>> As I said, you should not rely on the information being available to >>>>>>> you >>>>>>> as it might be disabled completely by the AD administrators in >>>>>>> ndsHeuristics attribute. >>>>>>> >>>>>>> What are you going to do when ulHideDSID flag is set to 1? >>>>>> The ticket is about providing extra info to user if account is locked. >>>>>> If we can't decide, we return generic access denied and generic >>>>>> message. Best afford attitude is fine here...IMO. >>>>> That's fine but please add documentation about the behavior into the >>>>> commit message so that we would have this discussion recorded somehow. >>>>> >>>> >>>> OK, would this: >>>> >>>> """ >>>> This patch is best effort only as decision whether account is actually >>>> locked is based on parsing error message returned by AD. The format and >>>> content of this error message might be subject of change in future >>>> releases and also can be modified by >>>> AD administrators. >>>> """ >>>> >>>> appended to the commit message of the first patch work for you? >>> Please refer to specific parts of MS-ADTS I've mentioned. >> OK Alexander, would following work as commit message for you? >> >> >> >> This patch is best effort only as decision whether account is actually locked >> is based on parsing error message returned by AD. The format and content of >> this error message might be subject of change in future releases and also >> can be modified by AD >> administrators. >> >> If account is locked bind operation is expected to return following error >> message: >> >> ------------------------------------------------------------------------- >> Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment: >> AcceptSecurityContext error, data 775, v23f0 >> ------------------------------------------------------------------------- >> >> Where sub string 'data 775' implies that account is locked >> (ERROR_ACCOUNT_LOCKED_OUT) [1]. However the 80090308 (error code 0x80090308, >> SEC_E_INVALID_TOKEN) is the only guaranteed part of error string [2]. >> >> Error message is described in further detail as [3]: >> ------------------------------------------------------------------------- >> When the server fails an LDAP operation with an error, and the server has >> sufficient resources to compute a string value for the errorMessage field of >> the LDAPResult, it includes a string in the errorMessage field of the >> LDAPResult (see [RFC2251] >> section 4.1.10). The string contains further information about the error. >> >> The first eight characters of the errorMessage string are a 32-bit integer, >> expressed in hexadecimal. Where protocol specifies the extended error code >> "<unrestricted>" there is no restriction on the value of the 32-bit integer. >> It is recommended >> that implementations use a Windows error code for the 32-bit integer in this >> case in order to improve usability of the directory for clients. Where >> protocol specifies an extended error code which is a Windows error code, the >> 32-bit integer is the >> specified Windows error code. Any data after the eighth character is >> strictly informational and used only for debugging. Conformant >> implementations need not put any value beyond the eighth character of the >> errorMessage field. >> ------------------------------------------------------------------------- >> >> [1] >> https://msdn.microsoft.com/en-us/library/windows/desktop/ms681386%28v=vs.... >> [2] >> https://social.msdn.microsoft.com/Forums/en-US/e1d600c8-60b7-4ed0-94cb-20... >> [3] MS-ADTS 3.1.1.3.1.9 >> https://msdn.microsoft.com/en-us/library/cc223253.aspx > Pavel, this is great!

> I like it too.

Please do not forget to use just 72 columns in commit message http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html

It would be also godd to add links to the related code "data 775".

On (12/02/16 12:54), Pavel Reichl wrote: > > > On 02/12/2016 09:00 AM, Lukas Slebodnik wrote: >> On (11/02/16 15:30), Alexander Bokovoy wrote: >>> ----- Original Message ----- >>>> On 02/10/2016 02:34 PM, Alexander Bokovoy wrote: >>>>> On Wed, 10 Feb 2016, Pavel Reichl wrote: >>>>>> >>>>>> >>>>>> On 02/10/2016 11:46 AM, Alexander Bokovoy wrote: >>>>>>> On Wed, 10 Feb 2016, Pavel Reichl wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 02/10/2016 11:06 AM, Alexander Bokovoy wrote: >>>>>>>>> On Wed, 10 Feb 2016, Pavel Reichl wrote: >>>>>>>>>>>> since getting those values requires to parse the string it would be >>>>>>>>>>>> nice >>>>>>>>>>>> to get some official details about the string. >>>>>>>>>>> Well, the string content after DSID-<number> mark can be completely >>>>>>>>>>> missing while the hex of the code (80090308) will be there. >>>>>>>>>>> >>>>>>>>>>> The presence of "DSID-<number> ..." error message is regulated by >>>>>>>>>>> ulHideDSID character of the dsHeuristics attribute (MS-ADTS >>>>>>>>>>> 6.1.1.2.4.1.2). So you can have Active Directory where DSID-<number> >>>>>>>>>>> string is completely missing but Win32 code for the error is there. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Alexander thanks for looking into this, but what we need is to >>>>>>>>>> distinguish between reasons for invalid credentials. >>>>>>>>>> >>>>>>>>>> e.g. >>>>>>>>>> Bind result: Invalid credentials(49), 80090308: LdapErr: >>>>>>>>>> DSID-0C0903C5, comment: AcceptSecurityContext error, data 773, v23f0 >>>>>>>>>> Bind result: Invalid credentials(49), 80090308: LdapErr: >>>>>>>>>> DSID-0C0903C5, comment: AcceptSecurityContext error, data 775, v23f0 >>>>>>>>> As I said, you should not rely on the information being available to >>>>>>>>> you >>>>>>>>> as it might be disabled completely by the AD administrators in >>>>>>>>> ndsHeuristics attribute. >>>>>>>>> >>>>>>>>> What are you going to do when ulHideDSID flag is set to 1? >>>>>>>> The ticket is about providing extra info to user if account is locked. >>>>>>>> If we can't decide, we return generic access denied and generic >>>>>>>> message. Best afford attitude is fine here...IMO. >>>>>>> That's fine but please add documentation about the behavior into the >>>>>>> commit message so that we would have this discussion recorded somehow. >>>>>>> >>>>>> >>>>>> OK, would this: >>>>>> >>>>>> """ >>>>>> This patch is best effort only as decision whether account is actually >>>>>> locked is based on parsing error message returned by AD. The format and >>>>>> content of this error message might be subject of change in future >>>>>> releases and also can be modified by >>>>>> AD administrators. >>>>>> """ >>>>>> >>>>>> appended to the commit message of the first patch work for you? >>>>> Please refer to specific parts of MS-ADTS I've mentioned. >>>> OK Alexander, would following work as commit message for you? >>>> >>>> >>>> >>>> This patch is best effort only as decision whether account is actually locked >>>> is based on parsing error message returned by AD. The format and content of >>>> this error message might be subject of change in future releases and also >>>> can be modified by AD >>>> administrators. >>>> >>>> If account is locked bind operation is expected to return following error >>>> message: >>>> >>>> ------------------------------------------------------------------------- >>>> Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment: >>>> AcceptSecurityContext error, data 775, v23f0 >>>> ------------------------------------------------------------------------- >>>> >>>> Where sub string 'data 775' implies that account is locked >>>> (ERROR_ACCOUNT_LOCKED_OUT) [1]. However the 80090308 (error code 0x80090308, >>>> SEC_E_INVALID_TOKEN) is the only guaranteed part of error string [2]. >>>> >>>> Error message is described in further detail as [3]: >>>> ------------------------------------------------------------------------- >>>> When the server fails an LDAP operation with an error, and the server has >>>> sufficient resources to compute a string value for the errorMessage field of >>>> the LDAPResult, it includes a string in the errorMessage field of the >>>> LDAPResult (see [RFC2251] >>>> section 4.1.10). The string contains further information about the error. >>>> >>>> The first eight characters of the errorMessage string are a 32-bit integer, >>>> expressed in hexadecimal. Where protocol specifies the extended error code >>>> "<unrestricted>" there is no restriction on the value of the 32-bit integer. >>>> It is recommended >>>> that implementations use a Windows error code for the 32-bit integer in this >>>> case in order to improve usability of the directory for clients. Where >>>> protocol specifies an extended error code which is a Windows error code, the >>>> 32-bit integer is the >>>> specified Windows error code. Any data after the eighth character is >>>> strictly informational and used only for debugging. Conformant >>>> implementations need not put any value beyond the eighth character of the >>>> errorMessage field. >>>> ------------------------------------------------------------------------- >>>> >>>> [1] >>>> https://msdn.microsoft.com/en-us/library/windows/desktop/ms681386%28v=vs.... >>>> [2] >>>> https://social.msdn.microsoft.com/Forums/en-US/e1d600c8-60b7-4ed0-94cb-20... >>>> [3] MS-ADTS 3.1.1.3.1.9 >>>> https://msdn.microsoft.com/en-us/library/cc223253.aspx >>> Pavel, this is great! > > Happy to hear that, thanks for checking the MS-ADTS. > >>> >> I like it too. > > Good :-) > >> >> Please do not forget to use just 72 columns in commit message >> http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html > > Sure. >> >> It would be also godd to add links to the related code "data 775". > > Did you miss: "... Where sub string 'data 775' implies that account is locked (ERROR_ACCOUNT_LOCKED_OUT) [1]. ..." or you would like me to reword it? > I meant that simple comment in related code might be useful too. As we have in other places in code. e.g. src/providers/ldap/sdap_async.h 342 /* OID documented in 343 * http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.8 5%29.aspx 344 */ 345 #define SDAP_MATCHING_RULE_IN_CHAIN "1.2.840.113556.1.4.1941" And If someone would like to see more details then they can be found either in commit message or in provided links.

On Wed, Feb 10, 2016 at 11:38:34AM +0200, Alexander Bokovoy wrote: > On Wed, 10 Feb 2016, Sumit Bose wrote: > >On Wed, Feb 10, 2016 at 10:45:39AM +0200, Alexander Bokovoy wrote: > >>On Wed, 10 Feb 2016, Alexander Bokovoy wrote: > >>>On Mon, 08 Feb 2016, Sumit Bose wrote: > >>>>On Mon, Feb 08, 2016 at 10:34:16AM +0100, Pavel Reichl wrote: > >>>>> > >>>>> > >>>>>On 02/05/2016 03:16 PM, Lukas Slebodnik wrote: > >>>>>>> > >>>>>>The ticket is about "SSSD should be about to display message to the user when > >>>>>>the account in Active Directory is 'locked out'" > >>>>>> > >>>>>>If the string is not standardized among AD versions > >>>>>>than this ticket is NOT solved. > >>>>> > >>>>>So what do you propose? Rename ticket to contain version of tested > >>>>>AD? Or should we say user that although we have fix that would work > >>>>>for him it might not work for all AD versions so we won't provide it? > >>>>> > >>>>>Can we ask our QA to test on all AD version they can lay their hands on? > >>>>> > >>>>>> > >>>>>>>>Could you add link to msdn documentation where it is described that this string > >>>>>>>>is guaranted to be returned in such case? > >>>>>>> > >>>>>>>It's not MSDN, but: > >>>>>>> http://www-01.ibm.com/support/docview.wss?uid=swg21290631 > >>>>>>I would prefer official documantation (msdn) in code ar at least in > >>>>>>commit message. > >>>>> > >>>>>We don't have any and it's possible it's not publicly documented. > >>>> > >>>>The '755' in the message is a specific error code of some AD > >>>>calls which can be seen by the link Dan send. So I guess this will not > >>>>change. > >>>> > >>>>While I can make sense of some part of the remaining error string (yes, > >>>>it is just a string send with the LDAP bind response) I didn't found any > >>>>general description of the format and the components of the error string > >>>>on the MSFT sites. > >>>You should use error code 0x80090308, SEC_E_INVALID_TOKEN. The 80090308 > >>>should be in the error string and this is what you have to compare > >>>against. > >>> > >>>https://social.msdn.microsoft.com/Forums/en-US/e1d600c8-60b7-4ed0-94cb-20ddd6c1a1c6/msadts-user-locking-password-policies?forum=os_windowsprotocols > >>>----------------------------------------------------------------------- > >>>Regarding the references in MS-ADTS on how account lockout policy is > >>>applied on Bind requests, I reported this as a document bug to the > >>>product team to request references being added. > >>> > >>>For LDAP errors returned by the server on a Simple Bind when the account > >>>is locked, the error is the same as if the Bind provided a wrong > >>>password. Windows Active Directory returns the LDAP error > >>>invalidCredentials. > >>> > >>>LDAP Bind Response error codes are documented in RFC2251 4.2.3.. > >>>Examples of errors are operationsError , strongAuthRequired, > >>>inappropriateAuthentication, invalidCredentials, unavailable. > >>> > >>>RFC2251 > >>>4.2.3. Bind Response > >>>- invalidCredentials: the wrong password was supplied or the SASL > >>> credentials could not be processed. > >>>The extended error information looks like this: > >>>----------- > >>>res = ldap_simple_bind_s(ld, 'contoso3\user1', <unavailable>); // v.3 > >>>Error <49>: ldap_simple_bind_s() failed: Invalid Credentials > >>>Server error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db0 > >>>Error 0x80090308 The token supplied to the function is invalid > >>>----------- > >>> > >>>MS-ERREF > >>>0x80090308 SEC_E_INVALID_TOKEN The token supplied to the function is > >>>invalid. > >>> > >>>The product team will be reflecting this in a future refresh of the > >>>MS-ADTS document. > >>>----------------------------------------------------------------------- > >>> > >>>>Alexander, do you think it would make sense to ask MSFT to enhance the > >>>>documentation of the LDAP error message format? And if yes, is sending > >>>>an email to dochelp(a)microsoft.com sufficient or this there a more > >>>>elaborate process? > >>>I'll check with Edgar on why this piece is still missing from MS-ADTS > >>>five years after. ;) > >>So I re-read MS-ADTS and section 3.1.1.3.1.9 "Error Message Strings" > >>has all the information: > >>----------------------------------------------------------------------- > >>When the server fails an LDAP operation with an error, and the server > >>has sufficient resources to compute a string value for the errorMessage > >>field of the LDAPResult, it includes a string in the errorMessage field > >>of the LDAPResult (see [RFC2251] section 4.1.10). The string contains > >>further information about the error. > >> > >>The first eight characters of the errorMessage string are a 32-bit > >>integer, expressed in hexadecimal. Where protocol specifies the extended > >>error code "<unrestricted>" there is no restriction on the value of the > >>32-bit integer. It is recommended that implementations use a Windows > >>error code for the 32-bit integer in this case in order to improve > >>usability of the directory for clients. Where protocol specifies an > >>extended error code which is a Windows error code, the 32- bit integer > >>is the specified Windows error code. Any data after the eighth character > >>is strictly informational and used only for debugging. Conformant > >>implementations need not put any value beyond the eighth character of > >>the errorMessage field. > >>------------------------------------------------------------------------ > >> > >>So, my comment stands: check for "80090308" in the beginning of > >>errorMessage string. > > > >Hi Alexander, > > > >thank you for reaching out to MSFT for enhancing the docs. But I'm > >afraid just checking for 80090308 is not sufficient as you can see from > >http://www-01.ibm.com/support/docview.wss?uid=swg21290631 . The value > >behind the 'data' string is really important to find out the real reason > >for the denial. The values themselve like (0x)701, (0x)773 or (0x)775 > >are documented as well (although I do not have the link at hand). But > >since getting those values requires to parse the string it would be nice > >to get some official details about the string. > Well, the string content after DSID-<number> mark can be completely > missing while the hex of the code (80090308) will be there. > > The presence of "DSID-<number> ..." error message is regulated by > ulHideDSID character of the dsHeuristics attribute (MS-ADTS > 6.1.1.2.4.1.2). So you can have Active Directory where DSID-<number> > string is completely missing but Win32 code for the error is there. Interesting, so it is basically a best effort. If there server sends sufficient information which we know and can handle we can tell the user that his account is locked and that he has to try later. Otherwise he will just see an authentication error. But I think this is fine and the current version of the patch already behaves like this.