samba error message - "broken (and insecure) behavior"

Christopher Kranz clk at CS.Princeton.EDU
Wed Sep 2 16:15:38 GMT 1998


Well this explains a problem we have been seeing for some time now.  We
have it configured so that 5 bad password attempts within 15 minutes
causes the account to become locked out.  Unfortunately we have lab
accounts that are used by more than person at a time at the same time. 
This results in the lab accounts becoming locked out because a known bad
password is always sent first.

Can this be changed?  Is there a way to test the password server only
once and not for each and every login attempt?  I think this is a useful
feature but checking the same password server over and over again seems
a little bit much.  Perhaps a separate utility to check your password
server is needed.  Or perhaps this code should only be run once at
initial start up?

	Christopher Kranz
	clk at cs.princeton.edu
--
Jim Watt wrote:
> 
> I've seen error messages about this since we installed 1.9.18p10 of samba,
> so I went looking in the code for the context.
> 
> Here (from password.c) is the context:
> 
>         /*
>          * Attempt a session setup with a totally incorrect password.
>          * If this succeeds with the guest bit *NOT* set then the password
>          * server is broken and is not correctly setting the guest bit. We
>          * need to detect this as some versions of NT4.x are broken. JRA.
>          */
> 
>         if (cli_session_setup(&cli, user, (char *)badpass, sizeof(badpass),
>                               (char *)badpass, sizeof(badpass), domain)) {
>           if ((SVAL(cli.inbuf,smb_vwv2) & 1) == 0) {
>             DEBUG(0,("server_validate: password server %s allows users as non-guest \
> with a bad password.\n", cli.desthost));
>             DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
> use this machine as the password server.\n"));
>             cli_ulogoff(&cli);
>             return False;
>           }
>           cli_ulogoff(&cli);
>         }
> 
> WHAT versions of NT4 have this problem?  Obviously, we have one!
> 
> Jim


More information about the samba mailing list