Bug 14054 - Kerberos Pre-Authentication updates badPwdCount for the 2 newest passwords in the history and results in ACCOUNT_LOCKED_OUT
Summary: Kerberos Pre-Authentication updates badPwdCount for the 2 newest passwords in...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.11.0rc1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
URL: https://gitlab.com/samba-team/samba/m...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-26 07:54 UTC by Stefan Metzmacher
Modified: 2023-06-25 14:58 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2019-07-26 07:54:27 UTC
Authentications failing with WRONG_PASSWORD should not update the badPwdCount
if the password was in the recent password history.

Often SMB clients like e.g. Windows, but maybe also others have a long lasting
connection to a server. If the connection gets disconnected or causes NETWORK_SESSION_EXPIRED the client tries to reconnect/reauthenticate without
prompting the user for credentials, they assume the password is still the same.
But if the password was changed (by another client) in the meantime, the authentication with the old password will fail and would easily lock out
the account. I saw Windows trying 8 times within one second.

With NTLM and plaintext authentication we already check the password history,
see authsam_password_check_and_record.

We currently don't have that logic in the KDC, which is wrong and
can cause an account to be locked out. Note that the auth_audit
logging is not triggered for Kerberos with ACCOUNT_LOCKED_OUT.

A Windows KDC has such a logic so we should have something similar.

We also need to find out if "old password allowed period" applies
to this on the KDC, but I don't think so as it's like an interactive
authentication.
Comment 1 Stefan Metzmacher 2019-07-31 11:44:13 UTC
Work in progress patches can be found in the merge request:
https://gitlab.com/samba-team/samba/merge_requests/664
Comment 2 trenta 2019-09-06 08:29:40 UTC
Confirmed with 4.10.7 and samba-tool domain passwordsettings set --account-lockout-threshold=5

now conts correctly, with 4.4.5 was failing and now works
Comment 3 Samba QA Contact 2022-03-24 10:18:14 UTC
This bug was referenced in samba master:

788ccb8cb99f56128331d98ec08c521547b98232
d062225e25c85c942f79ce426a003d122b69ae9b
5f28a9481f45903d9d7a405f89ead314dbebd775
01e7425fab7fcd8887dbd25c7179bb6669853fae
Comment 4 Samba QA Contact 2023-06-24 07:19:06 UTC
This bug was referenced in samba master:

370ba4ad527b67555f69c2bc4b92effe0cc7169d
28cf6c706760894b7c0c65d4f5307d333d194154
d4007b0ef9f745a4881588ef1b8185d6b53025ee
a75378e354286d095d82f644d645768345cd00fb
Comment 5 Stefan Metzmacher 2023-06-25 14:58:50 UTC
This will be fixed in 4.19