I'm using 3.2.4 and i cannot get an account to lockout... This is a security concern in my opinion. Heres the line of events. -bash-3.00# pdbedit -P "bad lockout attempt" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CSR))] smbldap_open_connection: connection opened smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CSR))] smbldap_open_connection: connection opened account policy "bad lockout attempt" description: Lockout users after bad logon attempts (default: 0 => off) account policy "bad lockout attempt" value is: 5 Obviously its set to 5. -bash-3.00# pdbedit -P "lockout duration" smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CSR))] smbldap_open_connection: connection opened smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CSR))] smbldap_open_connection: connection opened account policy "lockout duration" description: Lockout duration in minutes (default: 30, -1 => forever) account policy "lockout duration" value is: 4294967295 And lockout duration of forever so here we go: smbldap_open_connection: connection opened init_sam_from_ldap: Entry found for user: test.user1 Unix username: test.user1 NT username: test.user1 Account Flags: [U ] User SID: S-1-5-21-933094658-698143331-34306911-1041 init_group_from_ldap: Entry found for group: 513 init_group_from_ldap: Entry found for group: 513 Primary Group SID: S-1-5-21-933094658-698143331-34306911-513 Full Name: test.user1 Home Directory: \\samba\test.user1 HomeDir Drive: U: Logon Script: logon.bat Profile Path: Domain: CSR Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: 0 Password last set: Wed, 15 Oct 2008 13:05:54 WEST Password can change: Wed, 15 Oct 2008 13:05:54 WEST Password must change: Sun, 14 Dec 2008 12:05:54 WET Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF And attempt to log in 8 times: -bash-3.00# net --user=test.user1 user Enter test.user1's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE -bash-3.00# net --user=test.user1 user Enter test.user1's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE -bash-3.00# net --user=test.user1 user Enter test.user1's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE -bash-3.00# net --user=test.user1 user Enter test.user1's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE -bash-3.00# net --user=test.user1 user Enter test.user1's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE -bash-3.00# net --user=test.user1 user Enter test.user1's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE -bash-3.00# net --user=test.user1 user Enter test.user1's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE -bash-3.00# net --user=test.user1 user Enter test.user1's password: root nobody test.user1 -bash-3.00# pdbedit -v test.user1 smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CSR))] smbldap_open_connection: connection opened smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CSR))] smbldap_open_connection: connection opened init_sam_from_ldap: Entry found for user: test.user1 Unix username: test.user1 NT username: test.user1 Account Flags: [U ] User SID: S-1-5-21-933094658-698143331-34306911-1041 init_group_from_ldap: Entry found for group: 513 init_group_from_ldap: Entry found for group: 513 Primary Group SID: S-1-5-21-933094658-698143331-34306911-513 Full Name: test.user1 Home Directory: \\samba\test.user1 HomeDir Drive: U: Logon Script: logon.bat Profile Path: Domain: CSR Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: 0 Password last set: Wed, 15 Oct 2008 13:05:54 WEST Password can change: Wed, 15 Oct 2008 13:05:54 WEST Password must change: Sun, 14 Dec 2008 12:05:54 WET Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
This is from the logs. pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/10/16 21:25:21, 9] passdb/passdb.c:pdb_update_autolock_flag(1417) pdb_update_autolock_flag: Account blah.blah not autolocked, no check needed [2008/10/16 21:25:21, 4] libsmb/ntlm_check.c:ntlm_password_check(328) ntlm_password_check: Checking NT MD4 password [2008/10/16 21:25:21, 3] libsmb/ntlm_check.c:ntlm_password_check(346) ntlm_password_check: NT MD4 password check failed for user blah.blah [2008/10/16 21:25:21, 9] passdb/passdb.c:pdb_update_bad_password_count(1372) No bad password attempts. [2008/10/16 21:25:21, 5] auth/auth.c:check_ntlm_password(272) check_ntlm_password: sam authentication for user [blah.blah] FAILED with error NT_STATUS_WRONG_PASSWORD [2008/10/16 21:25:21, 3] auth/auth_winbind.c:check_winbind_security(54) check_winbind_security: Not using winbind, requested domain [CSR] was for this SAM. [2008/10/16 21:25:21, 10] auth/auth.c:check_ntlm_password(260) check_ntlm_password: winbind had nothing to say [2008/10/16 21:25:21, 2] auth/auth.c:check_ntlm_password(318) check_ntlm_password: Authentication for user [blah.blah] -> [blah.blah] FAILED with error NT_STATUS_WRONG_PASSWORD [2008/10/16 21:25:21, 5] auth/auth_util.c:free_user_info(1985) attempting to free (and zero) a user_info structure [2008/10/16 21:25:21, 10] auth/auth_util.c:free_user_info(1989) structure was created for blah.blah [2008/10/16 21:25:21, 3] smbd/error.c:error_packet_set(61) error packet at smbd/sesssetup.c(127) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE pdb_update_bad_password_count seems to be acting a little strange but i dont know enough about the internals of samba to be able to read the source with any confidence
I've confirmed this is also an issue on a linux host. Can someone from the samba development team tell me if this is a known issue?
I can confirm that Account locking doesnt work with an LDAP backend
This is a show-stopper for next 3.2.x or 3.3 release. Thanks, Jeremy.
I'll take care of it. :-)
I am also confused with the logic here. :-) Why update_login_attempts() relates to increment_bad_password_account()? update_login_attempts() is not implemented for tdb and ldap, which returns NT_STATUS_NOT_IMPLEMENTED. In auth/auth_sam.c:305~314, for ldap and tdb, update_login_attempts_status is always NT_STATUS_NOT_IMPLEMENTED, which cause sambaBadPasswordCount never be increased, so never be locked. :-) Is NT_STATUS_IS_OK(update_login_attempts_status) really necessary?
As this is working in 3.0 series it might be worth looking at what its doing over there?
Ah - now I see the problem. The default implementation of : pdb_default_update_login_attempts() changed from returning NT_STATUS_OK in 3.0.x to returning NT_STATUS_NOT_IMPLEMENTED in 3.2 and beyond. This call is only implemented by the pdb_nds backend, so LDAP and TDBSAM inherit the (incorrect) version. Can you try this patch for 3.2.x (and 3.2.x) ? Jeremy.
Created attachment 3715 [details] Patch for 3.2.x and beyond.
Jeremy: There is still problem with this. If we supply wrong password, update_login_attempts() will probably return NT_STATUS_WRONG_PASSWORD for pdb_nds.(refer to pdb_nds_update_login_attempts() in passdb/pdb_nds.c). Again, this will prevent sambaBadPasswordCount being increased. :-) I've posted a patch to the list for this.
Created attachment 3717 [details] look
Good catch, I think you're correct. I'll apply this. Jeremy.
Hmmm. I'm looking more closely at this. The password lockup logic makes my brain hurt :-). If pdb_nds_update_login_attempts() fails, how can we ever update the bad password count ? I'm going to leave this until someone who knows the NDS code can confirm (Jim?). The code currently in the tree makes the account lockouts work with TDBSAM and LDAP backends, so it's just the NDS backend we need to get right. Jeremy.
I guess the critical question is what is the difference between pdb_increment_bad_password_count() which is called if pdb_update_login_attempts() succeeds and pdb_update_bad_password_count() which is called if pdb_update_login_attempts() fails.... I don't understand this :-(. Jeremy.
(In reply to comment #13) > Hmmm. I'm looking more closely at this. The password lockup logic makes my > brain hurt :-). > > If pdb_nds_update_login_attempts() fails, how can we ever update the bad > password count ? I think if the returned status is NT_STATUS_WRONG_PASSWORD or NT_STATUS_SUCCESS, we must update bad password count. Because it means the supplied password is wrong. Under other cases, we must not. > > I'm going to leave this until someone who knows the NDS code can confirm > (Jim?). The code currently in the tree makes the account lockouts work with > TDBSAM and LDAP backends, so it's just the NDS backend we need to get right. Good decision. > > Jeremy. >
Any progress on this? With this be in the upcoming 3.3 release?
Yes this fix has been pushed to all git branches so should be in the next feature release. Jeremy.
I think i've found another small issue, When an account is locked it can only be unlocked with usrmgr.exe. But if i edit the LDAP entry manually. e.g. unset the L account flag and reset sambaBadPasswordCount and sambaBadPasswordTime the account stayed locked out, also when i do net SAM SET AUTOLOCK dmarkey no the account still stays locked out. Any ideas?
I've discovered another problem. Samba seems to be caching account lockout details locally on the samba instance, For example, if you have a PDC and BDC both backed by LDAP, if a user authenticating off a BDC locks themselves out then they are only locked out on the BDC, not the PDC. Also when one tries to unlock the account using usrmgr.exe it will connect to the PDC but of course the account will appear fine because it is only locked out on the BDC. Samba needs to go directly to LDAP each time and not cache any of this information locally. I'm having this problem in a production system, any patches welcome. For a temporary workaround i've disabled account lockout.
You can't go to LDAP every time as this will create LDAP replication traffic whenever a users types his password wrong. Volker
I dont see any other way to keep account lockout integrity across domain controllers. A little replication wouldnt be a problem the way i have it designed anyway, and obviously wouldnt be a problem with a single LDAP server. I know you guys have been working hard to take the load off the LDAP server as much as possible however.
Humble apologies. Configuration error. i had the wrong updateref in my slave slapd.conf so the BDC couldnt update the entry.
David, I guess this can be closed then? If not please reopen ...