Encrypted Passwords & Restricting Logon Attempts

Andrew Bartlett abartlet at samba.org
Wed Nov 27 08:42:33 GMT 2002 

On Wed, 2002-11-27 at 08:22, Jim Morris wrote:
> Hi All,
> 
> I have been using Samba for a long time, as a network administrator and
> as a network consultant (since 1994).  For the first time, I have had
> someone ask me how to setup Samba to deny access to a user after 3
> unsuccessful logon attempts.  This is part of a new corporate security
> policy at a Windows-centric company.  I have gotten the Linux server
> itself to track the failed logon attempts using the pam_tally PAM
> module, and it does the trick. However, I am sure you know what is
> coming next......
> 
> As everyone on this list is probably aware, the use of encrypted
> passwords and PAM password authentication are an apparently mutually
> exclusive options with Samba 2.2.x.  This is stated up front in the help
> for the 'obey pam restrictions' option in the man page I believe.

Just to make this clear, this is not of our choosing, it is just a
matter of how the protocol works.

> With PAM supported compiled in and enabled (obey pam restrictions =
> Yes), I can switch to plain-text passwords (encrypted passwords = No),
> and have Samba authenticate the user via PAM, obeying the pam_tally
> setup to deny the user access after 3 failed logon attempts. However,
> the use of encrypted passwords is also part of the corporate security
> policy at the site in question.

It would also prevent domain logons, and exposes bugs in other parts of
Microsoft's client.

> With encrypted passwords on, Samba does obey the PAM account
> authentication rules - it denies access to a user who has already
> reached the configured number of logon attempts. However, an invalid
> logon attempt via Samba in this configuration does not increment the
> failed logon attempt counter maintained by pam_tally.so.  So I can try
> to logon as many times as I want via SMB, without incrementing the
> counter and disabling the user account.
> 
> I am hoping that someone on this list has some insight to this issue, or
> has worked through it.

I think that the easiest way to do this would be to look into Samba
3.0's auth subsystem, and add a hook for WRONG_PASSORD return values. 
This could update the same database that pam_tally uses.

> I am wondering if I modified the smbd source code to somehow force the
> use of PAM even with encryption, if I coudl then somehow use the
> pam_smb_auth module to authenticate against the Samba server. The help
> for the pam_smb_auth.so PAM module seems to indicate that it supports
> encrypted passwords when authenticating against an NT PDC.  I am not
> sure this option is viable though.

No, it doesn't support that.  What it means is that it will encrypt the
passwords between the server it is running on, and the remote password
server.

> Any suggestions are welcome.  The worst case scenario I see at the
> moment would be having to downgrade the Samba PDC to a domain member
> server, and perform all authentication with an NT PDC.  That is my least
> desirable course of action though, as Samba was used to replace NT
> Server several years ago. NT Server is still sitting on the shelf
> though, and can be dusted off if that is the only way to achieve the
> requirements for the security policy.
>
> Note that if you have not looked at it, a Windows server (ack!) makes it
> very easy to control this type stuff. There is a 'Local Security Policy'
> utility in the NT/2000 control panel. Using this utility, you can in a
> few clicks set how many attempts are allowed before an account becomes
> disabled.  Certainly much easier to find than the PAM alternative, which
> took me some digging to find!

We certainly need to work on this, and a number of other 'enterprise
grade' features.  There are a number of things that, as developers, we
don't notice, but user feedback (and in some cases, very good patches!)
has allowed us to support.

This feature in particular should be picked up when we finish
implementing and better integrating account policy support.  

> Alternatively, how difficult would it be to modify Samba to support an
> option like this directly, within the constructs of the smbpasswd file?

Yes, your best option is to modify Samba,

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20021127/5349e7fb/attachment.bin

More information about the samba-technical mailing list