[PATCH] Patch to implement AD password lockout in Samba's AD DC
Stefan (metze) Metzmacher
metze at samba.org
Mon Mar 24 14:10:05 MDT 2014
Am 23.03.2014 01:06, schrieb Andrew Bartlett:
> On Sat, 2014-03-22 at 23:24 +1300, Andrew Bartlett wrote:
>> On Fri, 2014-03-21 at 17:16 +0100, Stefan (metze) Metzmacher wrote:
>>> Hi Andrew,
>>>
>>>>> I've now tested with Windows and Samba and have a patch series at:
>>>>>
>>>>> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/metze-master4-abartlet2
>>>>
>>>> Updated patches have been pushed!
>>>>
>>>> Hopefully we are getting closer.
>>>
>>> I merged this together with my branch
>>> and the result can be found at
>>>
>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-abartlet2
>>>
>>> Please have a look at
>>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=a4a8098f2dd374c1109742637bf180b15099d243
>>> and
>>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=c831e273cfe36c5dff68443391f015c58adf1df7
>>>
>>> which I reworked at bit. They require your sign-off to be refreshed.
>>
>> These look good, and much clearer. Signed-off-by: Andrew Bartlett
>> <abartlet at samba.org>
>>
>>> I need to review and run the tests from
>>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=a5eb6e1028ae679a327835239c16ca2d896ec17c
>>> again in order to decide about
>>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=56dfed17d70048fefd1b7e10c81103109d6e44c8
>>
>> I think this is now covered.
>
> Do be clearer, the in the password_lockout.py test, we use SAMR to
> unlock the account, and in that instance the test clearly shows that
> values are reset to 0.
>
>>> and
>>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=5e41a86f5e0421116b15b2a3f9b937ed241a0e3a
>>
>> badPwdCount is not reset on a successful LDAP password change. The
>> tests of samr code I've just done show that SAMR password changes also
>> don't change that. I don't currently have good enough tests for what
>> happens to the lockoutTime, but to get this far it must not be relevant
>> (ie in the past), and for LDAP the test I've just added to
>> password_lockout.py shows this patch should be dropped, it doesn't
>> actually update lockoutTime.
>>
>>> I've started to look at the tests, but I'm not done yet...
>
> BTW, with the patches I sent we pass our own 'make test TESTS=passwords'
> on my branch. Naturally the patches need to be squashed into the
> matching commits, but I think we are finally getting very close.
I've updated the password_lockout.py and verified that the current
implementation
isn't correct.
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-abartlet2
I think we need to have a trigger in an ldb module that sets badPwdCount = 0
is lockoutTime is set to 0.
This matches [MS-SAMR] 3.1.1.8.3 lockoutTime
http://msdn.microsoft.com/en-us/library/cc245684.aspx
The SAMR reset of ACB_AUTOLOCK has only impact if
the account is locked out. I think it only sets lockoutTime = 0.
I have the feeling that somehow
3.1.1.8.10 userAccountControl
http://msdn.microsoft.com/en-us/library/cc245673.aspx
is also correct, but I don't know how exactly.
I just found
userAccountControl = dsdb.UF_NORMAL_ACCOUNT|dsdb.UF_LOCKOUT
doesn't reset, but
userAccountControl = dsdb.UF_NORMAL_ACCOUNT
does reset lockoutTime = 0 and badPwdCount = 0.
I haven't changed the tests yet, but I've tested it locally.
metze
More information about the samba-technical
mailing list