[PATCH] bad password lock

Andrew Bartlett abartlet at samba.org
Sun Sep 21 11:02:16 GMT 2003 

On Sun, 2003-09-21 at 20:54, Simo Sorce wrote:
> On Sun, 2003-09-21 at 12:49, Andrew Bartlett wrote:
> > Not quite - the way I understand that NT implements this is that the
> > counter is maintained locally, but the block is maintained globally.  
> > 
> > That means that if a system had a 'bad password lockout' of 3, you could
> > connect 2*x + 1 times, where x is the number of DCs.
> > 
> > The main point is to keep 2*x +1 < sizeof(dictionary), which really does
> > make this game too easy for attackers.  (for an online dictionary
> > attack, the point of this feature).
> 
> That make sense.
> 
> > > If you are concerned with performances, then I think we should
> > > preferably add an option to disable the feature, for people that does
> > > not need to use it.
> > 
> > I actually think the compromise is quite workable.
> 
> Thinking twice I think so too, but makes me wonder how do you reset the
> lock from a different DC, from my experience you can modify only the PDC
> SAM with standard NT domain administration tools, so if databases are
> stored locally how do you unlock an account being locked only on a BDC ?

Remember that machine account passwords may also be changed on a BDC.  I
think there is a messaging system in NT, where these things are
propagated back.  I presume the BDC simply sends a 'lock this account'
message to the PDC.

The 'lock' itself is imply a bit in the account control bit flags
(ACB).   So the unlock would be like any other SAM operation.

Of course, by cutting off inter-DC communication, the equation becomes
3*x < sizeof(dictionary)....

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030921/84c1b02a/attachment.bin

More information about the samba-technical mailing list