[PATCH] bad password lock

John H Terpstra jht at samba.org
Sun Sep 21 14:22:16 GMT 2003

On Sun, 21 Sep 2003, Andrew Bartlett wrote:

> On Sun, 2003-09-21 at 20:54, Simo Sorce wrote:
> > On Sun, 2003-09-21 at 12:49, Andrew Bartlett wrote:
> > > Not quite - the way I understand that NT implements this is that the
> > > counter is maintained locally, but the block is maintained globally.
> > >
> > > That means that if a system had a 'bad password lockout' of 3, you could
> > > connect 2*x + 1 times, where x is the number of DCs.
> > >
> > > The main point is to keep 2*x +1 < sizeof(dictionary), which really does
> > > make this game too easy for attackers.  (for an online dictionary
> > > attack, the point of this feature).
> >
> > That make sense.
> >
> > > > If you are concerned with performances, then I think we should
> > > > preferably add an option to disable the feature, for people that does
> > > > not need to use it.
> > >
> > > I actually think the compromise is quite workable.
> >
> > Thinking twice I think so too, but makes me wonder how do you reset the
> > lock from a different DC, from my experience you can modify only the PDC
> > SAM with standard NT domain administration tools, so if databases are
> > stored locally how do you unlock an account being locked only on a BDC ?
> Remember that machine account passwords may also be changed on a BDC.  I
> think there is a messaging system in NT, where these things are
> propagated back.  I presume the BDC simply sends a 'lock this account'
> message to the PDC.

The precise method used on NT4 is documented in the Samba-3 HOWTO.
A BDC creates only a delta file. It then sends a trigger to the PDC to
initiate SAMsync. The PDC downloads the delta and applies it to it's SAM.
Then the BDC deletes the delta and does a SAMsync to update it's read-only
copy of the SAM.

It is possible with NT4 to end up with an inconsistent SAM. It the PDC
goes down before the SAMSync is complete and you then promote the BDC to a
PDC, the state of the SAM database may be incomplete.

In any case, following a local SAM update (using the NT4 Domain User Admin
tool for example) the change is immediately available. This means that the
local SAM operations DO read the SAM-delta file as if it is part of the
SAM. This delta is not available elsewhere until the SAMsync with the PDC
has been completed.

> The 'lock' itself is imply a bit in the account control bit flags
> (ACB).   So the unlock would be like any other SAM operation.

Remember, in NT4 the SAM is part of the local registry database. SAMsync
only brings the PDC/BDC SAMs into a consistent state.

I do not know where NT4 stores locking info, but suspect that it is
handled only locally to a machine.

Win2K has entirely new architecture in the way that Domain directory
integrity is maintained. It externalises directory operations to LDAP and
uses a new set of protocols and tools to ensure directory consistency.

> Of course, by cutting off inter-DC communication, the equation becomes
> 3*x < sizeof(dictionary)....

- John T.
John H Terpstra
Email: jht at samba.org

More information about the samba-technical mailing list