Passowrd policy patch on Samba-3.0.2 for LDAP backend

Andrew Bartlett abartlet at samba.org
Thu Feb 19 22:56:33 GMT 2004 

On Fri, 2004-02-20 at 09:44, Jim McDonough wrote:
> 
> 
> 
> >I think this is best - but I don't mind an option for always consistent
> >backends.  If we have multi-master, then other things break (rid
> >allocation), so we can't exactly count on that either...
> So you can't really have always consistent backends this way either...
> 
> There's still an issue...how do you properly update the PDC when the BDC
> encounters a bad password.
> 
> On NT, the BDC does a netlogon call to the PDC as though it were a member
> server.  This has several effects:
> - The user can still logon if the password change hasn't yet propagated

I've been bitten by this one at Hawker myself.  I'm going to add a patch
for 'password change sleep', in the same vein as 'ldap password sleep'.

> - The PDC will know that a bad password was attempted if it really is bad
> - The PDC (if it is up/contactable) will always have the right count of bad
> passwords.
> 
> Then, when the max is reached, it announces the sam change, and the bdcs
> request a delta.  In the meantime, each BDC has its own count, and _still_
> has its own record of the password if it's a propagation issue.  That means
> that until the BDC syncs up via replication, the BDC keeps the old password
> stored.
> 
> But our BDC code doesn't do anything like this...how hard would it be to
> change that?  Basically, don't update the real "stored" passdb (unless the
> max gets hit) on a bad pw attempt, but let the PDC know by the netlogon
> call (I forget offhand what it is, but it's basically just authenticating
> like a member server would, IIRC)?

I don't like the microsoft approach.  An attacker can create a *lot* of
inter-site traffic that way.

I like the idea that all our communication between DC's is via our
shared backend, and I don't think this is the issue to force it.  I'm
not worried that the PDC can be 'behind' on bad password attempts - I
think that a per-DC counter is fine, with global lockout.  

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040220/dc2a78f1/attachment.bin

More information about the samba-technical mailing list