Bug 5825 - Account locking out doesnt work with an LDAP backend
Summary: Account locking out doesnt work with an LDAP backend
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: User & Group Accounts (show other bugs)
Version: 3.2.4
Hardware: Sparc Solaris
: P3 regression
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-15 18:17 UTC by David Markey
Modified: 2013-02-18 13:30 UTC (History)
5 users (show)

See Also:


Attachments
Patch for 3.2.x and beyond. (657 bytes, patch)
2008-11-06 08:15 UTC, Jeremy Allison
no flags Details
look (920 bytes, patch)
2008-11-07 00:45 UTC, boyang
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description David Markey 2008-10-15 18:17:09 UTC
I'm using 3.2.4 and i cannot get an account to lockout...

This is a security concern in my opinion.

Heres the line of events.

-bash-3.00# pdbedit -P "bad lockout attempt"
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CSR))]
smbldap_open_connection: connection opened
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CSR))]
smbldap_open_connection: connection opened
account policy "bad lockout attempt" description: Lockout users after bad logon attempts (default: 0 => off)
account policy "bad lockout attempt" value is: 5



Obviously its set to 5.


-bash-3.00# pdbedit -P "lockout duration"
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CSR))]
smbldap_open_connection: connection opened
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CSR))]
smbldap_open_connection: connection opened
account policy "lockout duration" description: Lockout duration in minutes (default: 30, -1 => forever)
account policy "lockout duration" value is: 4294967295

And lockout duration of forever

so here we go:

smbldap_open_connection: connection opened
init_sam_from_ldap: Entry found for user: test.user1
Unix username:        test.user1
NT username:          test.user1
Account Flags:        [U          ]
User SID:             S-1-5-21-933094658-698143331-34306911-1041
init_group_from_ldap: Entry found for group: 513
init_group_from_ldap: Entry found for group: 513
Primary Group SID:    S-1-5-21-933094658-698143331-34306911-513
Full Name:            test.user1
Home Directory:       \\samba\test.user1
HomeDir Drive:        U:
Logon Script:         logon.bat
Profile Path:
Domain:               CSR
Account desc:
Workstations:
Munged dial:         
Logon time:           0
Logoff time:          never
Kickoff time:         0
Password last set:    Wed, 15 Oct 2008 13:05:54 WEST
Password can change:  Wed, 15 Oct 2008 13:05:54 WEST
Password must change: Sun, 14 Dec 2008 12:05:54 WET
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


And attempt to log in 8 times:


-bash-3.00# net --user=test.user1 user
Enter test.user1's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
-bash-3.00# net --user=test.user1 user
Enter test.user1's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
-bash-3.00# net --user=test.user1 user
Enter test.user1's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
-bash-3.00# net --user=test.user1 user
Enter test.user1's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
-bash-3.00# net --user=test.user1 user
Enter test.user1's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
-bash-3.00# net --user=test.user1 user
Enter test.user1's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
-bash-3.00# net --user=test.user1 user
Enter test.user1's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
-bash-3.00# net --user=test.user1 user
Enter test.user1's password:
root
nobody
test.user1

-bash-3.00# pdbedit -v test.user1
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CSR))]
smbldap_open_connection: connection opened
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CSR))]
smbldap_open_connection: connection opened
init_sam_from_ldap: Entry found for user: test.user1
Unix username:        test.user1
NT username:          test.user1
Account Flags:        [U          ]
User SID:             S-1-5-21-933094658-698143331-34306911-1041
init_group_from_ldap: Entry found for group: 513
init_group_from_ldap: Entry found for group: 513
Primary Group SID:    S-1-5-21-933094658-698143331-34306911-513
Full Name:            test.user1
Home Directory:       \\samba\test.user1
HomeDir Drive:        U:
Logon Script:         logon.bat
Profile Path:
Domain:               CSR
Account desc:
Workstations:
Munged dial:         
Logon time:           0
Logoff time:          never
Kickoff time:         0
Password last set:    Wed, 15 Oct 2008 13:05:54 WEST
Password can change:  Wed, 15 Oct 2008 13:05:54 WEST
Password must change: Sun, 14 Dec 2008 12:05:54 WET
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Comment 1 David Markey 2008-10-16 15:27:54 UTC
This is from the logs.

 pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/10/16 21:25:21,  9] passdb/passdb.c:pdb_update_autolock_flag(1417)
  pdb_update_autolock_flag: Account blah.blah not autolocked, no check needed
[2008/10/16 21:25:21,  4] libsmb/ntlm_check.c:ntlm_password_check(328)
  ntlm_password_check: Checking NT MD4 password
[2008/10/16 21:25:21,  3] libsmb/ntlm_check.c:ntlm_password_check(346)
  ntlm_password_check: NT MD4 password check failed for user blah.blah
[2008/10/16 21:25:21,  9] passdb/passdb.c:pdb_update_bad_password_count(1372)
  No bad password attempts.
[2008/10/16 21:25:21,  5] auth/auth.c:check_ntlm_password(272)
  check_ntlm_password: sam authentication for user [blah.blah] FAILED with error NT_STATUS_WRONG_PASSWORD
[2008/10/16 21:25:21,  3] auth/auth_winbind.c:check_winbind_security(54)
  check_winbind_security: Not using winbind, requested domain [CSR] was for this SAM.
[2008/10/16 21:25:21, 10] auth/auth.c:check_ntlm_password(260)
  check_ntlm_password: winbind had nothing to say
[2008/10/16 21:25:21,  2] auth/auth.c:check_ntlm_password(318)
  check_ntlm_password:  Authentication for user [blah.blah] -> [blah.blah] FAILED with error NT_STATUS_WRONG_PASSWORD
[2008/10/16 21:25:21,  5] auth/auth_util.c:free_user_info(1985)
  attempting to free (and zero) a user_info structure
[2008/10/16 21:25:21, 10] auth/auth_util.c:free_user_info(1989)
  structure was created for blah.blah
[2008/10/16 21:25:21,  3] smbd/error.c:error_packet_set(61)
  error packet at smbd/sesssetup.c(127) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE



pdb_update_bad_password_count seems to be acting a little strange but i dont know enough about the internals of samba to be able to read the source with any confidence


Comment 2 David Markey 2008-10-21 14:31:17 UTC
I've confirmed this is also an issue on a linux host. Can someone from the samba development team tell me if this is a known issue?
Comment 3 spurnelle 2008-11-05 11:28:35 UTC
I can confirm that Account locking doesnt work with an LDAP backend
Comment 4 Jeremy Allison 2008-11-05 22:46:10 UTC
This is a show-stopper for next 3.2.x or 3.3 release.
Thanks,
Jeremy.
Comment 5 boyang 2008-11-05 23:11:22 UTC
I'll take care of it. :-)
Comment 6 boyang 2008-11-06 04:59:32 UTC
I am also confused with the logic here. :-)

Why update_login_attempts() relates to increment_bad_password_account()?

update_login_attempts() is not implemented for tdb and ldap, which returns NT_STATUS_NOT_IMPLEMENTED. In auth/auth_sam.c:305~314, for ldap and tdb, update_login_attempts_status is always NT_STATUS_NOT_IMPLEMENTED, which cause sambaBadPasswordCount never be increased, so never be locked. :-)

Is NT_STATUS_IS_OK(update_login_attempts_status) really necessary?
Comment 7 David Markey 2008-11-06 05:07:19 UTC
As this is working in 3.0 series it might be worth looking at what its doing over there?
Comment 8 Jeremy Allison 2008-11-06 08:12:52 UTC
Ah - now I see the problem. The default implementation of :

pdb_default_update_login_attempts()

changed from returning NT_STATUS_OK in 3.0.x to returning NT_STATUS_NOT_IMPLEMENTED in 3.2 and beyond. This call is only implemented by the pdb_nds backend, so LDAP and TDBSAM inherit the (incorrect) version.

Can you try this patch for 3.2.x (and 3.2.x) ?

Jeremy.
Comment 9 Jeremy Allison 2008-11-06 08:15:33 UTC
Created attachment 3715 [details]
Patch for 3.2.x and beyond.
Comment 10 boyang 2008-11-07 00:43:16 UTC
Jeremy:
  There is still problem with this.
  If we supply wrong password, update_login_attempts() will probably return NT_STATUS_WRONG_PASSWORD for pdb_nds.(refer to pdb_nds_update_login_attempts() in passdb/pdb_nds.c). Again, this will prevent sambaBadPasswordCount being increased. :-)
  I've posted a patch to the list for this.
Comment 11 boyang 2008-11-07 00:45:18 UTC
Created attachment 3717 [details]
look
Comment 12 Jeremy Allison 2008-11-07 01:36:37 UTC
Good catch, I think you're correct. I'll apply this.
Jeremy.
Comment 13 Jeremy Allison 2008-11-07 02:46:20 UTC
Hmmm. I'm looking more closely at this. The password lockup logic makes my brain hurt :-).

If pdb_nds_update_login_attempts() fails, how can we ever update the bad password count ?

I'm going to leave this until someone who knows the NDS code can confirm (Jim?). The code currently in the tree makes the account lockouts work with TDBSAM and LDAP backends, so it's just the NDS backend we need to get right.

Jeremy.
Comment 14 Jeremy Allison 2008-11-07 03:02:32 UTC
I guess the critical question is what is the difference between pdb_increment_bad_password_count() which is called if pdb_update_login_attempts() succeeds and pdb_update_bad_password_count() which is called if pdb_update_login_attempts() fails....

I don't understand this :-(.

Jeremy.
Comment 15 boyang 2008-11-07 03:56:57 UTC
(In reply to comment #13)
> Hmmm. I'm looking more closely at this. The password lockup logic makes my
> brain hurt :-).
> 
> If pdb_nds_update_login_attempts() fails, how can we ever update the bad
> password count ?

I think if the returned status is NT_STATUS_WRONG_PASSWORD or NT_STATUS_SUCCESS, we must update bad password count. Because it means the supplied password is wrong. Under other cases, we must not.

> 
> I'm going to leave this until someone who knows the NDS code can confirm
> (Jim?). The code currently in the tree makes the account lockouts work with
> TDBSAM and LDAP backends, so it's just the NDS backend we need to get right.

Good decision. 

> 
> Jeremy.
> 

Comment 16 David Markey 2008-11-26 06:57:34 UTC
Any progress on this? With this be in the upcoming 3.3 release?
Comment 17 Jeremy Allison 2008-11-26 15:52:00 UTC
Yes this fix has been pushed to all git branches so should be in the next feature release.
Jeremy.
Comment 18 David Markey 2008-11-27 05:20:30 UTC
I think i've found another small issue, When an account is locked it can only be unlocked with usrmgr.exe. But if i edit the LDAP entry manually. e.g. unset the L account flag and reset  sambaBadPasswordCount and sambaBadPasswordTime the account stayed locked out, also when i do net SAM SET AUTOLOCK dmarkey no the account still stays locked out.

Any ideas?
Comment 19 David Markey 2009-02-11 09:13:41 UTC
I've discovered another problem.

Samba seems to be caching account lockout details locally on the samba instance,

For example, if you have a PDC and BDC both backed by LDAP, if a user authenticating off a BDC locks themselves out then they are only locked out on the BDC, not the PDC. Also when one tries to unlock the account using usrmgr.exe it will connect to the PDC but of course the account will appear fine because it is only locked out on the BDC.


Samba needs to go directly to LDAP each time and not cache any of this information locally.

I'm having this problem in a production system, any patches welcome. For a temporary workaround i've disabled account lockout.


Comment 20 Volker Lendecke 2009-02-11 09:16:56 UTC
You can't go to LDAP every time as this will create LDAP replication traffic whenever a users types his password wrong.

Volker
Comment 21 David Markey 2009-02-11 09:33:47 UTC
I dont see any other way to keep account lockout integrity across domain controllers.
 
A little replication wouldnt be a problem the way i have it designed anyway, and obviously wouldnt be a problem with a single LDAP server. I know you guys have been working hard to take the load off the LDAP server as much as possible however.

Comment 22 David Markey 2009-02-12 11:17:35 UTC
Humble apologies. Configuration error. i had the wrong updateref in my slave slapd.conf so the BDC couldnt update the entry.

Comment 23 Björn Jacke 2009-02-12 11:52:03 UTC
David, I guess this can be closed then? If not please reopen ...