Encrypted Passwords & Restricting Logon Attempts

Jim Morris jim at morris-world.com
Tue Nov 26 21:25:11 GMT 2002

Hi All,

I have been using Samba for a long time, as a network administrator and
as a network consultant (since 1994).  For the first time, I have had
someone ask me how to setup Samba to deny access to a user after 3
unsuccessful logon attempts.  This is part of a new corporate security
policy at a Windows-centric company.  I have gotten the Linux server
itself to track the failed logon attempts using the pam_tally PAM
module, and it does the trick. However, I am sure you know what is
coming next......

As everyone on this list is probably aware, the use of encrypted
passwords and PAM password authentication are an apparently mutually
exclusive options with Samba 2.2.x.  This is stated up front in the help
for the 'obey pam restrictions' option in the man page I believe.

With PAM supported compiled in and enabled (obey pam restrictions =
Yes), I can switch to plain-text passwords (encrypted passwords = No),
and have Samba authenticate the user via PAM, obeying the pam_tally
setup to deny the user access after 3 failed logon attempts. However,
the use of encrypted passwords is also part of the corporate security
policy at the site in question.

With encrypted passwords on, Samba does obey the PAM account
authentication rules - it denies access to a user who has already
reached the configured number of logon attempts. However, an invalid
logon attempt via Samba in this configuration does not increment the
failed logon attempt counter maintained by pam_tally.so.  So I can try
to logon as many times as I want via SMB, without incrementing the
counter and disabling the user account.

I am hoping that someone on this list has some insight to this issue, or
has worked through it.

I am wondering if I modified the smbd source code to somehow force the
use of PAM even with encryption, if I coudl then somehow use the
pam_smb_auth module to authenticate against the Samba server. The help
for the pam_smb_auth.so PAM module seems to indicate that it supports
encrypted passwords when authenticating against an NT PDC.  I am not
sure this option is viable though.

Any suggestions are welcome.  The worst case scenario I see at the
moment would be having to downgrade the Samba PDC to a domain member
server, and perform all authentication with an NT PDC.  That is my least
desirable course of action though, as Samba was used to replace NT
Server several years ago. NT Server is still sitting on the shelf
though, and can be dusted off if that is the only way to achieve the
requirements for the security policy.

Note that if you have not looked at it, a Windows server (ack!) makes it
very easy to control this type stuff. There is a 'Local Security Policy'
utility in the NT/2000 control panel. Using this utility, you can in a
few clicks set how many attempts are allowed before an account becomes
disabled.  Certainly much easier to find than the PAM alternative, which
took me some digging to find!

Alternatively, how difficult would it be to modify Samba to support an
option like this directly, within the constructs of the smbpasswd file?

Thanks for any help!

| Jim Morris  |  Email: Jim at Morris-World.com
|             |    AIM: JFM2001

More information about the samba-technical mailing list