[PATCH] bad password lock
Andrew Bartlett
abartlet at samba.org
Sun Sep 21 11:02:16 GMT 2003
On Sun, 2003-09-21 at 20:54, Simo Sorce wrote:
> On Sun, 2003-09-21 at 12:49, Andrew Bartlett wrote:
> > Not quite - the way I understand that NT implements this is that the
> > counter is maintained locally, but the block is maintained globally.
> >
> > That means that if a system had a 'bad password lockout' of 3, you could
> > connect 2*x + 1 times, where x is the number of DCs.
> >
> > The main point is to keep 2*x +1 < sizeof(dictionary), which really does
> > make this game too easy for attackers. (for an online dictionary
> > attack, the point of this feature).
>
> That make sense.
>
> > > If you are concerned with performances, then I think we should
> > > preferably add an option to disable the feature, for people that does
> > > not need to use it.
> >
> > I actually think the compromise is quite workable.
>
> Thinking twice I think so too, but makes me wonder how do you reset the
> lock from a different DC, from my experience you can modify only the PDC
> SAM with standard NT domain administration tools, so if databases are
> stored locally how do you unlock an account being locked only on a BDC ?
Remember that machine account passwords may also be changed on a BDC. I
think there is a messaging system in NT, where these things are
propagated back. I presume the BDC simply sends a 'lock this account'
message to the PDC.
The 'lock' itself is imply a bit in the account control bit flags
(ACB). So the unlock would be like any other SAM operation.
Of course, by cutting off inter-DC communication, the equation becomes
3*x < sizeof(dictionary)....
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030921/84c1b02a/attachment.bin
More information about the samba-technical
mailing list