[Impact] * An explanation of the effects of the bug on users and
As basic security rule, any AD server (or in general any Identity Manager / Directory system) must be able to lockout a user if he fails to authenticate for a defined number of times. This feature is NOT AVAILABLE for any samba 4.1 release, not even by patching it.The only possible solution to the issue is to upgrade to samba 4.2.X. This is documented in the following release notes: https://www.samba.org/samba/history/samba-4.2.0.html 8< ----------------------------------------------- Bad Password Lockout in the AD DC ================================= Samba's AD DC now implements bad password lockout (on a per-DC basis). That is, incorrect password attempts are tracked, and accounts locked out if too many bad passwords are submitted. There is also a grace period of 60 minutes on the previous password when used for NTLM authentication (matching Windows 2003 SP1: https://support2.microsoft.com/kb/906305). The relevant settings can be seen using 'samba-tool domain passwordsettings show' (the new settings being highlighted): Password informations for domain 'DC=samba,DC=example,DC=com' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 7 Minimum password age (days): 1 Maximum password age (days): 42 * Account lockout duration (mins): 30 * * Account lockout threshold (attempts): 0 * * Reset account lockout after (mins): 30 * These values can be set using 'samba-tool domain passwordsettings set'. ------------------------------------------------>8 * justification for backporting the fix to the stable release. Currently any Ubuntu server around the world used as AD DC with samba 4.1 (either used as primary or replica DC), have this user lockout bug. This is, in my opinion, a HUGE security vulnerability and this should be treated as HIGH-IMPACT BUG. In fact, blocking a user account after "X" password failures is the most basic and most effective defence against hacker's password brute-force attack. In theory, a simple brute-force attack could easily find password for the Administrator of the DC of any samba 4.1 implementation, which implies disastrous consequences for the overall company using it. * In addition, it is helpful, but not required, to include an explanation of how the upload fixes this bug. The new samba 4.2.1 stable release has been recently released. The source code can be downloaded from here https://www.samba.org/samba/ the package 4.2 should be (in my opinion) a full substitute of the 4.1.6 version currently available for Ubuntu server 14 Any version of salba 4.2 has this bug fixed, as documented by the release notes of version 4.2 [Test Case] * detailed instructions how to reproduce the bug 1) create an AD directory domain controller using ubuntu 14 + samba 4.1.6 2) create a domain user Administrator , or any other domain user. 3) join any windows machine to the domain 4) try to authenticate to the newly added machine using Administrator and a wrong password, you will notice that you can try as many attempt that you want, the user will never be locked out. This is also evident by looking at the "bad password count" field of the user, you notice that it never increments and the Account Flags never change automatically (i.e. user is always Unlocked) Unix username: Administrator NT username: Account Flags: [U ] User SID: S-1-5-21-2561872439-3810134724-4206319815-8276 Primary Group SID: S-1-5-21-2561872439-3810134724-4206319815-513 Full Name: Mario Pio Russo/Ireland/IBM Home Directory: HomeDir Drive: (null) Logon Script: logon.bat Profile Path: Domain: Account desc: "IBMID=I76786754;IBM-NAME=Russo, Mario Pio;ManagerID=I9469 5754;[email protected];ManagerName=Schoeller, Reinhard" Workstations: Munged dial: Logon time: 0 Logoff time: Tue, 19 Jan 2038 03:14:07 GMT Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT Password last set: Tue, 07 Apr 2015 16:45:38 BST Password can change: Tue, 07 Apr 2015 16:45:38 BST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 4) repeating the same with any version of samba 4.2 will actually increment the bad password count and effectively lock the user [Regression Potential] * discussion of how regressions are most likely to manifest as a result of this change. According to the Samba Community , all the regression from samba 4.2 to samba 4.1 has been addressed, however this needs to be confirmed by ad- hoc tests * It is assumed that any SRU candidate patch is well-tested before upload and has a low overall risk of regression, but it's important to make the effort to think about what ''could'' happen in the event of a regression. * This both shows the SRU team that the risks have been considered, and provides guidance to testers in regression-testing the SRU. [Other Info] Please note that samba 4.2.1 is already out and I suggest to move to that version. Also pleas refer to the release notes of samba 4.2.0 as there are other security improvements like the "winbind secure connection" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1442039 Title: Samba 4.1.6 has userlock bug - fixed in 4.2.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba4/+bug/1442039/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
