bad password lockout not available
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | samba4 (Ubuntu) |
Undecided
|
Unassigned | ||
Bug Description
Samba versions prior to 4.2.0 do not lock out users when they enter a password incorrectly a certain number of times.
SRU REQUEST:
[Impact]
As basic security rule, any AD server (or in general any Identity Manager / Directory system) must be able to lockout a user if he fails to authenticate for a defined number of times. This feature is NOT AVAILABLE for any samba 4.1 release. This is documented in the following release notes:
https:/
> Samba's AD DC now implements bad password lockout (on a per-DC basis).
> That is, incorrect password attempts are tracked, and accounts locked
> out if too many bad passwords are submitted. There is also a grace
> period of 60 minutes on the previous password when used for NTLM
> authentication (matching Windows 2003 SP1: https:/
Currently any Ubuntu server around the world used as AD DC with samba 4.1 (either used as primary or replica DC), have this user lockout bug. This is, in my opinion, a HUGE security vulnerability and this should be treated as HIGH-IMPACT BUG. In fact, blocking a user account after "X" password failures is the most basic and most effective defence against hacker's password brute-force attack. In theory, a simple brute-force attack could easily find password for the Administrator of the DC of any samba 4.1 implementation, which implies disastrous consequences for the overall company using it.
[Test Case]
1) create an AD directory domain controller using ubuntu 14 + samba 4.1.6
2) create a domain user Administrator , or any other domain user.
3) join any windows machine to the domain
4) try to authenticate to the newly added machine using Administrator and a wrong password, you will notice that you can try as many attempt that you want, the user will never be locked out. This is also evident by looking at the "bad password count" field of the user, you notice that it never increments and the Account Flags never change automatically (i.e. user is always Unlocked)
Unix username: Administrator
NT username:
Account Flags: [U ]
User SID: S-1-5-21-
Primary Group SID: S-1-5-21-
Full Name: Mario Pio Russo/Ireland/IBM
Home Directory:
HomeDir Drive: (null)
Logon Script: logon.bat
Profile Path:
Domain:
Account desc: "IBMID=
Workstations:
Munged dial:
Logon time: 0
Logoff time: Tue, 19 Jan 2038 03:14:07 GMT
Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT
Password last set: Tue, 07 Apr 2015 16:45:38 BST
Password can change: Tue, 07 Apr 2015 16:45:38 BST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFF
4) repeating the same with any version of samba 4.2 will actually increment the bad password count and effectively lock the user
[Regression Potential]
According to the Samba Community , all the regression from samba 4.2 to samba 4.1 has been addressed, however this needs to be confirmed by ad-hoc tests
[Other Info]
Please note that samba 4.2.1 is already out and I suggest to move to that version. Also pleas refer to the release notes of samba 4.2.0 as there are other security improvements like the "winbind secure connection"
| Matthew Delfino (matthew-delfino) wrote : | #2 |
I can confirm this, and also support this bug author's assertion that the user account lockout is a very important security feature for those of us using Samba as an active directory domain controller:
"Samba's AD DC now implements bad password lockout (on a per-DC basis).
That is, incorrect password attempts are tracked, and accounts locked
out if too many bad passwords are submitted. There is also a grace
period of 60 minutes on the previous password when used for NTLM
authentication (matching Windows 2003 SP1: https:/
The relevant settings can be seen using 'samba-tool domain
passwordsettings show' (the new settings being highlighted):
Password informations for domain 'DC=samba,
Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
* Account lockout duration (mins): 30 *
* Account lockout threshold (attempts): 0 *
* Reset account lockout after (mins): 30 *
These values can be set using 'samba-tool domain passwordsettings set'."
Thank you for your hard work and please bake this 4.2 release into Ubuntu Server 14.04, if possible and prudent to do so.
Thanks!
| Robie Basak (racb) wrote : | #3 |
Thank you for taking the time to report this bug and helping to make Ubuntu better.
See https:/
| mario pio (mariopiorusso) wrote : | #4 |
Hi Robie
I have never done anything like that before, v 4.2 is critical so I will try to follow up the procedure you sent and see what happens.
let me know if you have any better way/idea to speed up the release.
thanks
| mario pio (mariopiorusso) wrote : | #5 |
[Impact]
* An explanation of the effects of the bug on users and
As basic security rule, any AD server (or in general any Identity Manager / Directory system) must be able to lockout a user if he fails to authenticate for a defined number of times. This feature is NOT AVAILABLE for any samba 4.1 release, not even by patching it.The only possible solution to the issue is to upgrade to samba 4.2.X. This is documented in the following release notes:
https:/
8< -------
Bad Password Lockout in the AD DC
=======
Samba's AD DC now implements bad password lockout (on a per-DC basis).
That is, incorrect password attempts are tracked, and accounts locked
out if too many bad passwords are submitted. There is also a grace
period of 60 minutes on the previous password when used for NTLM
authentication (matching Windows 2003 SP1: https:/
The relevant settings can be seen using 'samba-tool domain
passwordsettings show' (the new settings being highlighted):
Password informations for domain 'DC=samba,
Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
* Account lockout duration (mins): 30 *
* Account lockout threshold (attempts): 0 *
* Reset account lockout after (mins): 30 *
These values can be set using 'samba-tool domain passwordsettings set'.
-------
* justification for backporting the fix to the stable release.
Currently any Ubuntu server around the world used as AD DC with samba 4.1 (either used as primary or replica DC), have this user lockout bug. This is, in my opinion, a HUGE security vulnerability and this should be treated as HIGH-IMPACT BUG. In fact, blocking a user account after "X" password failures is the most basic and most effective defence against hacker's password brute-force attack. In theory, a simple brute-force attack could easily find password for the Administrator of the DC of any samba 4.1 implementation, which implies disastrous consequences for the overall company using it.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
The new samba 4.2.1 stable release has been recently released. The source code can be downloaded from here
the package 4.2 should be (in my opinion) a full substitute of the 4.1.6 version currently available for Ubuntu server 14
Any version of salba 4.2 has this bug fixed, as documented by the release notes of version 4.2
[Test Case]
* detailed instructions how to reproduce the bug
1) create an AD directory domain controller using ubuntu 14 + samba 4.1.6
2) create a domain user Administrator , or any other domain user.
3) join any windows machine to the domain
4) try to authenticate to the newly added machine using Administrator and a wrong password, you will notice that you can try as many attempt that you want, the user will never be locked out. This is also evident...
| description: | updated |
| summary: |
- Samba 4.1.6 has userlock bug - fixed in 4.2.0 + bad password lockout not available |
| Luke Faraone (lfaraone) wrote : | #6 |
I've amended the bug description to include the SRU details, as specified in <https:/
However, we cannot SRU a bug that is unfixed in the current development release of Ubuntu. As of present, the vivid series ships 2:4.1.13+
So, first this bug needs to be fixed in the development release. As we're in a pre-release freeze for vivid (and feature freeze has been in effect for a long time), someone would need to prepare a patch against the current version in vivid that implements this change **and only this change**, and would need the release managers to approve a feature freeze exception.
Since samba is such a critical package, it would be in my opinion exceedingly irresponsible to introduce new functionality to Samba on such a short timescale.
As such, I recommend that this be addressed in V+1. At that point, the easiest option to deploy this feature to the LTS would be to provide it in backports; alternatively, if the SRU team believes this feature addition is critical enough to provide in a stable release update, the relevant functionality would need to be prepared as a patch against the version in Ubuntu 14.04 LTS, 2:4.1.6+
| information type: | Public → Public Security |
| mario pio (mariopiorusso) wrote : | #7 |
Thank you Luke!
please keep us updated with any info abt this
Status changed to 'Confirmed' because the bug affects multiple users.