The Samba-Bugzilla – Bug 4314
Bad passwords attempts do not trigger sambaLockout
Last modified: 2007-03-02 09:58:15 UTC
This bug is also related to #4313, because it was
found during our tests. I'm doing the same introduction
just to make it easy.
We are running Samba on a Debian "etch" machine (x86),
four processors (Intel(R) Xeon(TM) CPU 3.00GHz) and 4GB
of RAM memory. We use LDAP as a backend to manage about
200 users and computers. The version of involved softwares:
* libldap2 2.1.30-13+b1
* samba 3.0.23d-2+b1
* slapd 2.3.29-1
Using the policies for password seems to work fine. But
the Lockout configuration doesn't seem to be OK. In the
sambaDomainName we have:
With the above configuration our idea is to have the
user account locked for 30 minutes after 3 bad login
attemps. We are not quite sure about how
sambaLockoutObservationWindow affects the lockout, that's
why we set it equal to sambaLockoutDuration.
Using my account (felipe), if I mistype the password
I can see the time and the number of bad tries using
pdbedit, but it does not increase. If I try two or three
times to login with the wrong password, the fields
"Last bad password" and "Bad password count" don't
change. "Last bad password" maintains the first date of
the attemp and the "bad password count" remains with "1".
I was expecting that both fields got update when I
did a bad login attempt and after the third try it blocks
my account (probably the Win clients will show a different
message then). Is that a bug? A missing feature? Or a
misconfiguration on my side?
Sorry, I forgot to add the libldap library information:
* libldap-2.3-0 2.3.29-1
So far, on 3.0.25pre1, this is working for me. I should explain that the BadPassword count won't increase on the ldap server until lockout is reached. We did this to prevent every mistyped password from being propagated throughout all replicas of an ldap tree, because that could create a massive amount of traffic. This also mimics what NT does, where the bad password count isn't replicated until the threshold is reached. We cache it locally until then.
However, pdbedit should show the increase on whatever DC is processing the request, because it will reflect the contents of the local cache. So even with pdbedit you're not seeing this increase at all?
The ObservationWindow is a timer after which the count is reset back to zero, so that you don't accumulate bad attempts forever. So in your case, if no bad passwords are entered in 30 minutes, the count should reset to zero next time it's accessed.
Please keep in mind that the ldap tree itself isn't updated when timers expire, but rather the next time that a passdb backend accesses the entry.
If you're not seeing updates in pdbedit, please post your smb.conf, and also give a little more detail about how you're testing this out.
this was a "must be root bug" which has been fixed in the 3.0.25 branch. If you want a 3.0.24d you can use the SerNet packages, which have that one fixed I think. For that reason I'll close this as fixed...