Bug 3391 - Login with correct uid but faulty password results in 30 sec delay
Summary: Login with correct uid but faulty password results in 30 sec delay
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.21
Hardware: x86 Windows 2000
: P3 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-01-10 08:26 UTC by Petter Osterlund
Modified: 2006-01-13 02:31 UTC (History)
1 user (show)

See Also:

Attachments
samba log for when a W2K login delays by 30 sec (305.23 KB, application/octet-stream)
2006-01-10 08:29 UTC, Petter Osterlund 		no flags Details
make sure we have the right access rights to query account policy settings (696 bytes, patch)
2006-01-12 11:50 UTC, Gerald (Jerry) Carter (dead mail address) 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Petter Osterlund 2006-01-10 08:26:29 UTC 
Machine STOCKHOLM is PDC for domain SAMBA. LDAP
used as backend. Machine FYRPC271 (W2K) is joined to SAMBA.
Login, file access, printers etc all works just fine.

But when loging in using a correct uid but invalid password
there is a delay of 30 seconds before the message about
invalid password is displayed. The same happens if wrong
password is given when unlocking the screen lock.
If a faulty uid is given there is no delay.

The logfile shows that uid != 0 is not allowed to talk to LDAP.
In this case I tried to log in as user "root":

2006/01/10 15:55:47, 9] passdb/passdb.c:pdb_update_autolock_flag(2338)
  pdb_update_autolock_flag: Account root not autolocked, no check needed
[2006/01/10 15:55:47, 3] libsmb/ntlm_check.c:ntlm_password_check(207)
  ntlm_password_check: Interactive logon: NT password check failed for user root
[2006/01/10 15:55:47, 10] lib/account_pol.c:account_policy_cache_timestamp(193)
  account policy cache lastset was: Tue, 10 Jan 2006 15:27:49 CET
[2006/01/10 15:55:47, 10] lib/account_pol.c:cache_account_policy_get(401)
  cache_account_policy_get: no valid cache entry (cache expired)
[2006/01/10 15:55:47, 10] passdb/pdb_ldap.c:ldapsam_get_account_policy_from_ldap(3405)
  ldapsam_get_account_policy_from_ldap
[2006/01/10 15:55:47, 5] lib/smbldap.c:smbldap_search_ext(1080)
  smbldap_search_ext: base => [sambaDomainName=SAMBA,dc=fyrplus,dc=se], filter => [(objectclass=*)], scope => [0]
[2006/01/10 15:55:47, 0] lib/smbldap.c:smbldap_open(922)
  smbldap_open: cannot access LDAP when not root..
[2006/01/10 15:55:47, 1] lib/smbldap.c:another_ldap_try(1051)
  Connection to LDAP server failed for the 1 try!
[2006/01/10 15:55:48, 0] lib/smbldap.c:smbldap_open(922)
  smbldap_open: cannot access LDAP when not root..
[2006/01/10 15:55:48, 1] lib/smbldap.c:another_ldap_try(1051)

....

[2006/01/10 15:56:02, 0] passdb/pdb_ldap.c:ldapsam_get_account_policy_from_ldap(3430)
  ldapsam_get_account_policy_from_ldap: Could not get account policy for sambaDomainName=SAMBA,dc=fyrplus,dc=se, error: Time li
mit exceeded ()
[2006/01/10 15:56:02, 10] passdb/pdb_ldap.c:ldapsam_get_account_policy(3484)
  ldapsam_get_account_policy: failed to retrieve from ldap, returning default.
[2006/01/10 15:56:02, 10] passdb/pdb_ldap.c:ldapsam_set_account_policy(3347)
  ldapsam_set_account_policy
[2006/01/10 15:56:02, 5] lib/smbldap.c:smbldap_modify(1254)
  smbldap_modify: dn => [sambaDomainName=SAMBA,dc=fyrplus,dc=se]
[2006/01/10 15:56:02, 0] lib/smbldap.c:smbldap_open(922)
  smbldap_open: cannot access LDAP when not root..
[2006/01/10 15:56:02, 1] lib/smbldap.c:another_ldap_try(1051)
  Connection to LDAP server failed for the 1 try!
[2006/01/10 15:56:03, 0] lib/smbldap.c:smbldap_open(922)
  smbldap_open: cannot access LDAP when not root..

...

[2006/01/10 15:56:17, 0] passdb/pdb_ldap.c:ldapsam_set_account_policy(3377)
  ldapsam_set_account_policy: Could not set account policy for sambaDomainName=SAMBA,dc=fyrplus,dc=se, error: Timed out ()
[2006/01/10 15:56:17, 0] passdb/passdb.c:pdb_increment_bad_password_count(2393)
  pdb_increment_bad_password_count: pdb_get_account_policy failed.
[2006/01/10 15:56:17, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1
[2006/01/10 15:56:17, 3] smbd/uid.c:push_conn_ctx(388)
  push_conn_ctx(101) : conn_ctx_stack_ndx = 0
[2006/01/10 15:56:17, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/01/10 15:56:17, 5] auth/auth_util.c:debug_nt_user_token(433)
  NT user token: (NULL)
[2006/01/10 15:56:17, 5] auth/auth_util.c:debug_unix_user_token(454)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2006/01/10 15:56:17, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1846)
  ldapsam_update_sam_account: user root to be modified has dn: uid=root,ou=Users,dc=fyrplus,dc=se
[2006/01/10 15:56:17, 11] passdb/pdb_get_set.c:pdb_get_init_flags(210)
  element 12: SET

....


PS.
Although probably not the same problem it is the same kind of log entries
(cannot access LDAP when not root..) as when a non uid=0 user tries to
change group membership in UsrMgr.exe even if he belongs to the Domain Admins
group and Domain Admins has all rigths assigned (adding a user is OK but
not changing groups).
Comment 1 Petter Osterlund 2006-01-10 08:29:58 UTC 
Created attachment 1659 [details]
samba log for when a W2K login delays by 30 sec

Log produced:
1. /etc/init.d/smb stop
2. Enable loglevel 20
3. /etc/init.d/smb start
4. Attempt to login from FYRPC271 using root and invalid password
Comment 2 William Jojo 2006-01-10 12:37:44 UTC 
(In reply to comment #1)
> Created an attachment (id=1659) [edit]
> samba log for when a W2K login delays by 30 sec
> Log produced:
> 1. /etc/init.d/smb stop
> 2. Enable loglevel 20
> 3. /etc/init.d/smb start
> 4. Attempt to login from FYRPC271 using root and invalid password


What does it look like with a person other than root? Were NT hashes generated for the root user (login fails)? Also, what platform is this? Os? Ldap version? smb.conf?

Cheers,

Bill
Comment 3 Petter Osterlund 2006-01-11 00:34:31 UTC 
> What does it look like with a person other than root? Were NT hashes generated
> for the root user (login fails)? Also, what platform is this? Os? Ldap version?
> smb.conf?

Linux:
 RedHat 8.0
 OpenLDAP 2.0.27
Client:
 Windows 2000 SP4
 
The exakt same happens for testuser1 and testuser2. They are regular
users. See similar log below.

NT password hashes are OK. root, testuser1 and testuser2 can log in without
problems - if correct password is used. The side effect is that when entering
wrong password it takes 30 sec before a new attempt can be made. When doing
"net use" with faulty password I get a reject immediately.

The code that produces this behaviour is within "ifdefs" in smbldap.c:

#ifndef NO_LDAP_SECURITY
        if (geteuid() != 0) {
                DEBUG(0, ("smbldap_open: cannot access LDAP when not root..\n"));
                return  LDAP_INSUFFICIENT_ACCESS;
        }
#endif

Haven't found any definition what NO_LDAP_SECURITY is used for.
(I would guess that sice the authentication fails the code still
 continues in some fashion and tries to read/update LDAP (failed
 login attempts perhaps), but the the euid has not be set to = 0 for
 this operation since user is not authenticated...?)

Log from when logging in as testuser1:
--------
[2006/01/11 10:36:15, 3] libsmb/ntlm_check.c:ntlm_password_check(207)
  ntlm_password_check: Interactive logon: NT password check failed for user testuser1
[2006/01/11 10:36:15, 10] lib/account_pol.c:account_policy_cache_timestamp(193)
  account policy cache lastset was: Tue, 10 Jan 2006 17:38:23 CET
[2006/01/11 10:36:15, 10] lib/account_pol.c:cache_account_policy_get(401)
  cache_account_policy_get: no valid cache entry (cache expired)
[2006/01/11 10:36:15, 10] passdb/pdb_ldap.c:ldapsam_get_account_policy_from_ldap(3405)
  ldapsam_get_account_policy_from_ldap
[2006/01/11 10:36:15, 5] lib/smbldap.c:smbldap_search_ext(1080)
  smbldap_search_ext: base => [sambaDomainName=SAMBA,dc=fyrplus,dc=se], filter => [(objectclass=*)], scope => [0]
[2006/01/11 10:36:15, 0] lib/smbldap.c:smbldap_open(922)
  smbldap_open: cannot access LDAP when not root..
[2006/01/11 10:36:15, 1] lib/smbldap.c:another_ldap_try(1051)
  Connection to LDAP server failed for the 1 try!
[2006/01/11 10:36:16, 0] lib/smbldap.c:smbldap_open(922)
  smbldap_open: cannot access LDAP when not root..
[2006/01/11 10:36:16, 1] lib/smbldap.c:another_ldap_try(1051)
  Connection to LDAP server failed for the 2 try!
--------

Cheers Petter
Comment 4 Gerald (Jerry) Carter (dead mail address) 2006-01-12 11:50:03 UTC 
Created attachment 1675 [details]
make sure we have the right access rights to query account policy settings

Please test this patch and let me know.
Comment 5 Gerald (Jerry) Carter (dead mail address) 2006-01-12 20:13:25 UTC 
marking this as fixed.  Checking the code in for 3.0.21b
Comment 6 Gerald (Jerry) Carter (dead mail address) 2006-01-12 20:15:09 UTC 
actually closing it now.
Comment 7 Petter Osterlund 2006-01-13 01:35:00 UTC 
(In reply to comment #6)
> actually closing it now.
> 

I applied the patch (added a missing { to get it to compile).
The problem solved for me.

Hmm, also now tried 3.0.21a. With that version it is very hard to
repoduce my problem, i managed to repoduce it only one time.

Cheers Petter
Comment 8 Guenther Deschner 2006-01-13 02:31:57 UTC 
Petter, in 3.0.21a, I removed the automatic assumption to have account policies beeing set in LDAP. If you want to use account policies as part of your ldapsam environment, you need to export your tdb-based account policies with

      pdbedit -y -i tdbsam: -e ldapsam:ldap://your.ldap.server

Jerry, I still need to a) document that behaviour/feature and b) look for other places where pdb_(get|set)_account_policy() calls need a become_root/unbecome_root.