Authentications failing with WRONG_PASSWORD should not update the badPwdCount
if the password was in the recent password history.
Often SMB clients like e.g. Windows, but maybe also others have a long lasting
connection to a server. If the connection gets disconnected or causes NETWORK_SESSION_EXPIRED the client tries to reconnect/reauthenticate without
prompting the user for credentials, they assume the password is still the same.
But if the password was changed (by another client) in the meantime, the authentication with the old password will fail and would easily lock out
the account. I saw Windows trying 8 times within one second.
With NTLM and plaintext authentication we already check the password history,
We currently don't have that logic in the KDC, which is wrong and
can cause an account to be locked out. Note that the auth_audit
logging is not triggered for Kerberos with ACCOUNT_LOCKED_OUT.
A Windows KDC has such a logic so we should have something similar.
We also need to find out if "old password allowed period" applies
to this on the KDC, but I don't think so as it's like an interactive
Work in progress patches can be found in the merge request:
Confirmed with 4.10.7 and samba-tool domain passwordsettings set --account-lockout-threshold=5
now conts correctly, with 4.4.5 was failing and now works