Bug 4314 - Bad passwords attempts do not trigger sambaLockout
Summary: Bad passwords attempts do not trigger sambaLockout
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.23d
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-12-28 14:39 UTC by Felipe Augusto van de Wiel
Modified: 2007-03-02 09:58 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Felipe Augusto van de Wiel 2006-12-28 14:39:49 UTC 
Hi,

  This bug is also related to #4313, because it was
found during our tests. I'm doing the same introduction
just to make it easy.

  We are running Samba on a Debian "etch" machine (x86),
four processors (Intel(R) Xeon(TM) CPU 3.00GHz) and 4GB
of RAM memory. We use LDAP as a backend to manage about
200 users and computers. The version of involved softwares:

  * libldap2  2.1.30-13+b1
  * samba     3.0.23d-2+b1
  * slapd     2.3.29-1


  Using the policies for password seems to work fine. But
the Lockout configuration doesn't seem to be OK. In the
sambaDomainName we have:

     sambaLockoutDuration: 30
     sambaLockoutObservationWindow: 30
     sambaLockoutThreshold: 3

  With the above configuration our idea is to have the
user account locked for 30 minutes after 3 bad login
attemps. We are not quite sure about how 
sambaLockoutObservationWindow affects the lockout, that's
why we set it equal to sambaLockoutDuration.

  Using my account (felipe), if I mistype the password
I can see the time and the number of bad tries using
pdbedit, but it does not increase. If I try two or three
times to login with the wrong password, the fields 
"Last bad password" and "Bad password count" don't
change. "Last bad password" maintains the first date of
the attemp and the "bad password count" remains with "1".

  I was expecting that both fields got update when I
did a bad login attempt and after the third try it blocks
my account (probably the Win clients will show a different
message then). Is that a bug? A missing feature? Or a 
misconfiguration on my side?

--
Felipe (faw)
Comment 1 Felipe Augusto van de Wiel 2006-12-29 13:52:00 UTC 
Sorry, I forgot to add the libldap library information:

  * libldap-2.3-0  2.3.29-1

Kind regards,

--
Felipe (faw)
Comment 2 Jim McDonough 2007-03-02 09:28:59 UTC 
So far, on 3.0.25pre1, this is working for me.  I should explain that the BadPassword count won't increase on the ldap server until lockout is reached.  We did this to prevent every mistyped password from being propagated throughout all replicas of an ldap tree, because that could create a massive amount of traffic.  This also mimics what NT does, where the bad password count isn't replicated until the threshold is reached.  We cache it locally until then.

However, pdbedit should show the increase on whatever DC is processing the request, because it will reflect the contents of the local cache.  So even with pdbedit you're not seeing this increase at all?

The ObservationWindow is a timer after which the count is reset back to zero, so that you don't accumulate bad attempts forever.  So in your case, if no bad passwords are entered in 30 minutes, the count should reset to zero next time it's accessed.

Please keep in mind that the ldap tree itself isn't updated when timers expire, but rather the next time that a passdb backend accesses the entry.

If you're not seeing updates in pdbedit, please post your smb.conf, and also give a little more detail about how you're testing this out.
Comment 3 Björn Jacke 2007-03-02 09:58:15 UTC 
this was a "must be root bug" which has been fixed in the 3.0.25 branch. If you want a 3.0.24d you can use the SerNet packages, which have that one fixed I think. For that reason I'll close this as fixed...