Bug 11539 - Bad Password attempt counts double
Summary: Bad Password attempt counts double
Status: RESOLVED DUPLICATE of bug 11029
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.3.0
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2015-10-02 05:53 UTC by Kelvin Yip
Modified: 2016-07-29 02:38 UTC (History)
4 users (show)

See Also:

windows7_login.pcap (3.43 KB, application/vnd.tcpdump.pcap)
2015-12-29 12:11 UTC, Stefan Gohmann
no flags Details
log.samba.gz (28.58 KB, application/x-compressed-tar)
2015-12-29 12:12 UTC, Stefan Gohmann
no flags Details
ad_w2k8r2_windows7_login.pcap (2.56 KB, application/vnd.tcpdump.pcap)
2015-12-29 13:22 UTC, Stefan Gohmann
no flags Details
Patch to return enc data on preauth failed (6.68 KB, patch)
2016-01-08 00:41 UTC, Garming Sam
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kelvin Yip 2015-10-02 05:53:18 UTC
I have use the following command to configure the password policy on the samba4.3 AD server.

/usr/local/samba/bin/samba-tool domain passwordsettings set --account-lockout-threshold=3

If a user using windows 7 workstation logon to the samba server and type a wrong password only 1 time, the samba4 server will count the bad password attempt for 2 or 3 times, and the user account will be locked out.

Would you please investigate this issue ?
Comment 1 Stefan Gohmann 2015-12-29 12:11:30 UTC
I was able to reproduce it with Samba 4.3.3. Attached you'll find a tcpdump and samba log with debug level 12. I tested with testuser2.
Comment 2 Stefan Gohmann 2015-12-29 12:11:50 UTC
Created attachment 11748 [details]
Comment 3 Stefan Gohmann 2015-12-29 12:12:07 UTC
Created attachment 11749 [details]
Comment 4 Stefan Gohmann 2015-12-29 13:22:30 UTC
Created attachment 11750 [details]

I've joined the Windows 7 client into a Windows 2008 R2 Microsoft based Active Directory domain. Attached you can find the Wireshark trace of a failed login at the Windows 7 client. The badPwdCount was correctly increased by 1.
Comment 5 Garming Sam 2016-01-08 00:41:27 UTC
Created attachment 11761 [details]
Patch to return enc data on preauth failed

The issue appears to be that in the preauth failed case, the e-data is not returned to the client. Failing to do so against Windows, causes it to reissue a second AS-REQ and resulting in a second failure (incrementing the password lockout count twice).
Comment 6 Stefan Metzmacher 2016-01-08 07:05:53 UTC
(In reply to Garming Sam from comment #5)

In the capture windows only returns PA-ETYPE-INFO2 and no it returns no e-text
in both replies.

I think at least with the pa types we should match.
Comment 7 Garming Sam 2016-01-17 22:27:29 UTC
(In reply to Stefan Metzmacher from comment #6)

The adjacent comment in the code regarding the types returned says:

RFC4120 requires:
- If the client only knows about old enctypes, then send
  both info replies (we send 'info' first in the list).
- If the client is 'modern', because it knows about 'new'
  enctype types, then only send the 'info2' reply.

Before we send the full list of etype-info data, we pick
the client key we would have used anyway below, just pick
that instead.

The reason it doesn't return only info2 is possibly a wider issue. Andrew seemed to suggest the AES handling which Andreas picked up on in Heimdal. In which case, fixing it to return info2 may not be actually be all that desirable.
Comment 8 Andrew Bartlett 2016-07-29 02:38:28 UTC

*** This bug has been marked as a duplicate of bug 11029 ***