** Summary changed: - Samba 4.1.6 has userlock bug - fixed in 4.2.0 + bad password lockout not available
** Description changed: - Good Day All, first of all thanks for your work!! + Samba versions prior to 4.2.0 do not lock out users when they enter a + password incorrectly a certain number of times. - I have a ubuntu server 14.04 on which i am running a samba-4 DC - (verstion 4.1.6) + SRU REQUEST: - now that version of samba has a know bug about the user account lockout - (i.e. the users are not getting locked out when they put the wrong - password for X times) + [Impact] - this is a know issue: - - http://ubuntuforums.org/showthread.php?t=2210798&page=4 - - and it has been resolved in samba 4.2.0 , which now in "stable" release: + As basic security rule, any AD server (or in general any Identity + Manager / Directory system) must be able to lockout a user if he fails + to authenticate for a defined number of times. This feature is NOT + AVAILABLE for any samba 4.1 release. This is documented in the following + release notes: https://www.samba.org/samba/history/samba-4.2.0.html - my question is: can you please release the packet samba-4.2.0 (and - ventually the related samba-tools) on ubuntu server 14? + > Samba's AD DC now implements bad password lockout (on a per-DC basis). - thanks! + > That is, incorrect password attempts are tracked, and accounts locked + > out if too many bad passwords are submitted. There is also a grace + > period of 60 minutes on the previous password when used for NTLM + > authentication (matching Windows 2003 SP1: https://support2.microsoft.com/kb/906305). + + Currently any Ubuntu server around the world used as AD DC with samba + 4.1 (either used as primary or replica DC), have this user lockout bug. + This is, in my opinion, a HUGE security vulnerability and this should be + treated as HIGH-IMPACT BUG. In fact, blocking a user account after "X" + password failures is the most basic and most effective defence against + hacker's password brute-force attack. In theory, a simple brute-force + attack could easily find password for the Administrator of the DC of any + samba 4.1 implementation, which implies disastrous consequences for the + overall company using it. + + [Test Case] + + 1) create an AD directory domain controller using ubuntu 14 + samba 4.1.6 + 2) create a domain user Administrator , or any other domain user. + 3) join any windows machine to the domain + 4) try to authenticate to the newly added machine using Administrator and a wrong password, you will notice that you can try as many attempt that you want, the user will never be locked out. This is also evident by looking at the "bad password count" field of the user, you notice that it never increments and the Account Flags never change automatically (i.e. user is always Unlocked) + + Unix username: Administrator + NT username: + Account Flags: [U ] + User SID: S-1-5-21-2561872439-3810134724-4206319815-8276 + Primary Group SID: S-1-5-21-2561872439-3810134724-4206319815-513 + Full Name: Mario Pio Russo/Ireland/IBM + Home Directory: + HomeDir Drive: (null) + Logon Script: logon.bat + Profile Path: + Domain: + Account desc: "IBMID=I76786754;IBM-NAME=Russo, Mario Pio;ManagerID=I9469 5754;[email protected];ManagerName=Schoeller, Reinhard" + Workstations: + Munged dial: + Logon time: 0 + Logoff time: Tue, 19 Jan 2038 03:14:07 GMT + Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT + Password last set: Tue, 07 Apr 2015 16:45:38 BST + Password can change: Tue, 07 Apr 2015 16:45:38 BST + Password must change: never + Last bad password : 0 + Bad password count : 0 + Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + + + 4) repeating the same with any version of samba 4.2 will actually increment the bad password count and effectively lock the user + + + [Regression Potential] + + According to the Samba Community , all the regression from samba 4.2 to + samba 4.1 has been addressed, however this needs to be confirmed by ad- + hoc tests + + [Other Info] + + Please note that samba 4.2.1 is already out and I suggest to move to that version. Also pleas refer to the release notes of samba 4.2.0 as there are other security improvements like the "winbind secure connection" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1442039 Title: bad password lockout not available To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba4/+bug/1442039/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
