Passowrd policy patch on Samba-3.0.2 for LDAP backend
abartlet at samba.org
Thu Feb 19 22:56:33 GMT 2004
On Fri, 2004-02-20 at 09:44, Jim McDonough wrote:
> >I think this is best - but I don't mind an option for always consistent
> >backends. If we have multi-master, then other things break (rid
> >allocation), so we can't exactly count on that either...
> So you can't really have always consistent backends this way either...
> There's still an issue...how do you properly update the PDC when the BDC
> encounters a bad password.
> On NT, the BDC does a netlogon call to the PDC as though it were a member
> server. This has several effects:
> - The user can still logon if the password change hasn't yet propagated
I've been bitten by this one at Hawker myself. I'm going to add a patch
for 'password change sleep', in the same vein as 'ldap password sleep'.
> - The PDC will know that a bad password was attempted if it really is bad
> - The PDC (if it is up/contactable) will always have the right count of bad
> Then, when the max is reached, it announces the sam change, and the bdcs
> request a delta. In the meantime, each BDC has its own count, and _still_
> has its own record of the password if it's a propagation issue. That means
> that until the BDC syncs up via replication, the BDC keeps the old password
> But our BDC code doesn't do anything like this...how hard would it be to
> change that? Basically, don't update the real "stored" passdb (unless the
> max gets hit) on a bad pw attempt, but let the PDC know by the netlogon
> call (I forget offhand what it is, but it's basically just authenticating
> like a member server would, IIRC)?
I don't like the microsoft approach. An attacker can create a *lot* of
inter-site traffic that way.
I like the idea that all our communication between DC's is via our
shared backend, and I don't think this is the issue to force it. I'm
not worried that the PDC can be 'behind' on bad password attempts - I
think that a per-DC counter is fine, with global lockout.
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040220/dc2a78f1/attachment.bin
More information about the samba-technical