[PATCH] bad password lock

Simo Sorce simo.sorce at xsec.it
Sun Sep 21 10:54:47 GMT 2003

On Sun, 2003-09-21 at 12:49, Andrew Bartlett wrote:
> Not quite - the way I understand that NT implements this is that the
> counter is maintained locally, but the block is maintained globally.  
> That means that if a system had a 'bad password lockout' of 3, you could
> connect 2*x + 1 times, where x is the number of DCs.
> The main point is to keep 2*x +1 < sizeof(dictionary), which really does
> make this game too easy for attackers.  (for an online dictionary
> attack, the point of this feature).

That make sense.

> > If you are concerned with performances, then I think we should
> > preferably add an option to disable the feature, for people that does
> > not need to use it.
> I actually think the compromise is quite workable.

Thinking twice I think so too, but makes me wonder how do you reset the
lock from a different DC, from my experience you can modify only the PDC
SAM with standard NT domain administration tools, so if databases are
stored locally how do you unlock an account being locked only on a BDC ?


Simo Sorce - simo.sorce at xsec.it
Xsec s.r.l. - http://www.xsec.it
via Durando 10 Ed. G - 20158 - Milano
mobile: +39 329 328 7702
tel. +39 02 2399 7130 - fax: +39 02 700 442 399

More information about the samba-technical mailing list