[PATCH] bad password lock
adegremont at idealx.com
Tue Sep 16 14:33:18 GMT 2003
Andrew Bartlett wrote:
> Nothing states that one 'unknown_5' is equvilant to another. Just poke
> a win2k box with rpcclient, and see what you can find. You should
> ensure that we return the same values as Win2k here, so that things like
> Sam replication can replicate this too.
We have already done some research about it and it seems that it is
(unknown_5 - struct info21 : bad pwd count). But more researche is needed.
> This is about the attacker - the normal user mistyping the password
> isn't what this patch is about. So the races do matter, and we should
> add a 'increment failed login' specific operation, for each backend to
> implement as well as it possibly can. That could mean locking/looping
> for the increment, but that's fine.
We developped this fonctionnality to avoid brute force attacks on logon
controlers. So, we are concerned with this problem. You're right, it
greatly matters, by the way.
> Does that change the XML syntax? It's experimental ATM, but watch for
> that kind of thing.
Samba throw an error because it doesn't know what to do with this
element (see pdb_xml.c, line 236) and the right value of 'logon time'
field is lost !
About this ATM, I test it in export/import context with pdbedit, and
that worked fine.
More information about the samba-technical