================================================================
== Subject:     Bad password count in AD DC not always effective
==
== CVE ID#:     
==
== Versions:    Samba 4.9.0 and later 
==
== Summary:     AD DC Configurations watching for bad passwords
                (to restrict brute forcing of passwords)
                in a window of more than 15 minutes will
		instead not watch for bad passwords at all.
================================================================

===========
Description
===========

By default, Samba will remember bad passwords for 30min:

eg:
$ samba-tool domain passwordsettings show
...
Reset account lockout after (mins): 30

This is also known as the 'bad password observation window' and is
configured in the lockOutObservationWindow attribute on the domain DN
or in a fine-grained password policy (also known as a Password
Settings Object - PSO)

If this value is set to more than 15mins, the effective value to the
Samba code counting bad passwords is 0, meaning no bad passwords are
counted in the badPwdCount attribute (it remains at 1).

In such situations, bad password lockout would be ineffective.

The primary risk from this issue is with regards to domains that have
been upgraded from Samba 4.8 and earlier.  In these cases the manual
testing done to confirm an organisation's password policies apply as
expected may not have been re-done after the upgrade.

==================
CVSSv3 calculation
==================

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    http://www.samba.org/samba/security/

Additionally, Samba 4.9.3 has been issued as security releases to
correct the defect.  Samba administrators are advised to upgrade to
these releases or apply the patch as soon as possible.

=========================
Workaround and mitigation
=========================

Bad password lockout is not configured by default, it is only
effective if a threshold has been set with (eg):

samba-tool domain passwordsettings set --account-lockout-threshold=3

To mitigate the issue set a shorter 'Reset account lockout after'
window (the ineffective default is 30, anything less than 15 will
work):

samba-tool domain passwordsettings set --reset-account-lockout-after=15

NOTE: If a fine-grained password policy (PSO) is set, this must also
be done on each PSO.

=======
Credits
=======

Originally reported by Isaac Boukris

Patches provided by Tim Beale of Catalyst and the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================