samba error message - "broken (and insecure) behavior"
Christopher Kranz
clk at CS.Princeton.EDU
Wed Sep 2 16:15:38 GMT 1998
Well this explains a problem we have been seeing for some time now. We
have it configured so that 5 bad password attempts within 15 minutes
causes the account to become locked out. Unfortunately we have lab
accounts that are used by more than person at a time at the same time.
This results in the lab accounts becoming locked out because a known bad
password is always sent first.
Can this be changed? Is there a way to test the password server only
once and not for each and every login attempt? I think this is a useful
feature but checking the same password server over and over again seems
a little bit much. Perhaps a separate utility to check your password
server is needed. Or perhaps this code should only be run once at
initial start up?
Christopher Kranz
clk at cs.princeton.edu
--
Jim Watt wrote:
>
> I've seen error messages about this since we installed 1.9.18p10 of samba,
> so I went looking in the code for the context.
>
> Here (from password.c) is the context:
>
> /*
> * Attempt a session setup with a totally incorrect password.
> * If this succeeds with the guest bit *NOT* set then the password
> * server is broken and is not correctly setting the guest bit. We
> * need to detect this as some versions of NT4.x are broken. JRA.
> */
>
> if (cli_session_setup(&cli, user, (char *)badpass, sizeof(badpass),
> (char *)badpass, sizeof(badpass), domain)) {
> if ((SVAL(cli.inbuf,smb_vwv2) & 1) == 0) {
> DEBUG(0,("server_validate: password server %s allows users as non-guest \
> with a bad password.\n", cli.desthost));
> DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
> use this machine as the password server.\n"));
> cli_ulogoff(&cli);
> return False;
> }
> cli_ulogoff(&cli);
> }
>
> WHAT versions of NT4 have this problem? Obviously, we have one!
>
> Jim
More information about the samba
mailing list