[PATCH] bad password lock

Andrew Bartlett abartlet at samba.org
Tue Sep 16 13:54:55 GMT 2003

On Tue, 2003-09-16 at 23:20, Aurélien Degrémont wrote:
> Andrew Bartlett wrote:
> > The main problem with this patch is the change to the DB format string -
> > you break every TDBsam installation out there.
> Yes, i know this breaks the compatibility with all existing tdbsam bases.
> We try to find out the correct place for theses informations but it's 
> not easy.
> We think that the unknown5 field contains theses informations, according 
> to ethereal. But it's difficult to work with this field due to all of 
> its occurences in samba code. 

Nothing states that one 'unknown_5' is equvilant to another.  Just poke
a win2k box with rpcclient, and see what you can find.  You should
ensure that we return the same values as Win2k here, so that things like
Sam replication can replicate this too.  

> No documentations are available for it.
> Could we have more details about this field and the structures ?

An ethereal sniff can sometimes help - but the usual trick is to simply
change a value (ie, wrong password attempt) and then query the info with
rpcclient again.  If rpcclient won't display the results, then sniff
it.  In the same way, you should check where the value appears in the
samsync etc.

> > The other problem is that it's racy - we don't atomicly update the
> > counter.  That's hard, given the current model, but newer LDAP servers
> > apparently have support for a 'increment this value' control.
> But for the other backends ?
> Moreover, this will force users to use the newest versions of LDAP ?
> Obviously it's a problem, but the possibilities that a user try to log 
> on many times on at the same moment is rare :).

This is about the attacker - the normal user mistyping the password
isn't what this patch is about.  So the races do matter, and we should
add a 'increment failed login' specific operation, for each backend to
implement as well as it possibly can.  That could mean locking/looping
for the increment, but that's fine.

> The patch corrects too a small mistakes in pdb_xml.c
> -> s/login/logon/
> :)

Does that change the XML syntax?  It's experimental ATM, but watch for
that kind of thing.

Andrew Bartlett

> Aurélien Degrémont
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030916/784dd8b8/attachment.bin

More information about the samba-technical mailing list