8166 – winbind offline logon locks out users on bad password attempts

Bug 8166 - winbind offline logon locks out users on bad password attempts

Summary: winbind offline logon locks out users on bad password attempts

Status:	NEW

Alias:	None

Product:	Samba 3.6
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	3.6.0rc1
Hardware:	All All

Importance:	P2 normal
Target Milestone:	---
Assignee:	Guenther Deschner
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-05-25 14:40 UTC by Jim McDonough
Modified:	2011-06-28 15:24 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Patch for 3.6 (1.27 KB, patch) 2011-05-25 16:27 UTC, Jim McDonough	obnox: review+	Details
Patch for 3.5 (1.27 KB, patch) 2011-05-25 16:27 UTC, Jim McDonough	obnox: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jim McDonough 2011-05-25 14:40:16 UTC

The bad password count logic is not bypassed on cached offline logons, which is how windows behaves.

Worse yet, the count is honored, but the duration is not, so a user who locks himself out while offline can never logon again until reconnecting with the DC.

Comment 1 Jim McDonough 2011-05-25 16:27:06 UTC

Created attachment 6486 [details]
Patch for 3.6

Comment 2 Jim McDonough 2011-05-25 16:27:54 UTC

Created attachment 6487 [details]
Patch for 3.5

Comment 3 Jeremy Allison 2011-05-25 16:55:25 UTC

I think this is a blocker. And now we have patches an easy fix before final release :-).

Jeremy.

Comment 4 Guenther Deschner 2011-05-26 10:18:34 UTC

hm, in fact I exactly made it behave like that on purpose (to not allow offline password attacks like in windows).

Comment 5 Jim McDonough 2011-05-26 11:27:36 UTC

(In reply to comment #4)
> hm, in fact I exactly made it behave like that on purpose (to not allow offline
> password attacks like in windows).

Well, then there is one giant hole...there is no lockout duration.

Comment 6 Michael Adam 2011-05-31 20:28:26 UTC

As just discussed on irc with Günther:
Better fix it this ways now, since we don't have
a patch ready now to add the extra value that Günther
intended to add...

Assigning to Karolin for inclusion in 3.6.0

Comment 7 Karolin Seeger 2011-06-01 18:46:52 UTC

Pushed to v3-5-test and v3-6-test.
Re-assigning to Günther to decide whether to close the bug report or not.

Comment 8 Karolin Seeger 2011-06-01 18:47:46 UTC

Lowering severity.

Comment 9 Guenther Deschner 2011-06-28 15:24:36 UTC

no longer blocking the release of 3.6.0 at least.