Bug 8166 - winbind offline logon locks out users on bad password attempts
Summary: winbind offline logon locks out users on bad password attempts
Status: NEW
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.6.0rc1
Hardware: All All
: P2 normal
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-25 14:40 UTC by Jim McDonough
Modified: 2011-06-28 15:24 UTC (History)
1 user (show)

See Also:


Attachments
Patch for 3.6 (1.27 KB, patch)
2011-05-25 16:27 UTC, Jim McDonough
obnox: review+
Details
Patch for 3.5 (1.27 KB, patch)
2011-05-25 16:27 UTC, Jim McDonough
obnox: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jim McDonough 2011-05-25 14:40:16 UTC
The bad password count logic is not bypassed on cached offline logons, which is how windows behaves.

Worse yet, the count is honored, but the duration is not, so a user who locks himself out while offline can never logon again until reconnecting with the DC.
Comment 1 Jim McDonough 2011-05-25 16:27:06 UTC
Created attachment 6486 [details]
Patch for 3.6
Comment 2 Jim McDonough 2011-05-25 16:27:54 UTC
Created attachment 6487 [details]
Patch for 3.5
Comment 3 Jeremy Allison 2011-05-25 16:55:25 UTC
I think this is a blocker. And now we have patches an easy fix before final release :-).

Jeremy.
Comment 4 Guenther Deschner 2011-05-26 10:18:34 UTC
hm, in fact I exactly made it behave like that on purpose (to not allow offline password attacks like in windows).
Comment 5 Jim McDonough 2011-05-26 11:27:36 UTC
(In reply to comment #4)
> hm, in fact I exactly made it behave like that on purpose (to not allow offline
> password attacks like in windows).

Well, then there is one giant hole...there is no lockout duration.
Comment 6 Michael Adam 2011-05-31 20:28:26 UTC
As just discussed on irc with Günther:
Better fix it this ways now, since we don't have
a patch ready now to add the extra value that Günther
intended to add...

Assigning to Karolin for inclusion in 3.6.0
Comment 7 Karolin Seeger 2011-06-01 18:46:52 UTC
Pushed to v3-5-test and v3-6-test.
Re-assigning to Günther to decide whether to close the bug report or not.
Comment 8 Karolin Seeger 2011-06-01 18:47:46 UTC
Lowering severity.
Comment 9 Guenther Deschner 2011-06-28 15:24:36 UTC
no longer blocking the release of 3.6.0 at least.