[Samba] Locking user accounts

Jim Morris Jim at Morris-World.com
Thu Dec 5 14:33:49 GMT 2002 

On Thursday, December 5, 2002, at 06:59  AM, Martijn van Brummelen 
wrote:

> At this moment I am running a samba-ldap-pdc.
> This works really good. But what worries me is the following thing:
> user accounts never get locked. This is a problem cause anyone can 
> guess or
> use bruteforce to enter password. Is there a solution/workaround for 
> this?
> I want the following situation : when a user tries to logon for 4 
> times I
> want the account to lock out the account. Winnt disables the account 
> for
> several minutes and then the account is locked out.

This subject has come up several times in the past couple of weeks. I 
just went down this road myself actually.

Samba has no built in facility for accomplishing what you need. 
However, if you are familiar with PAM, there is a PAM module 
(pam_tally) that is specifically for locking out an account after a 
specified number of failed logon attempts.  (A successful logon resets 
the count to zero any time before the limit is reached).

If you have configured Samba with 'obey pam restrictions = yes' in the 
smb.conf file, Samba will fail the logon once pam_tally's retry limit 
is reached. However, the kicker is that if you are using encrypted 
passwords with Samba, the password lookup is not done via PAM - just 
the account verification. So a bad logon attempt via Samba does not 
increment the failed logon counter.

The solution to this is in a 2 line patch to the Samba 2.2.7 source 
code, which I posted to the samba-technical mailing list this past 
Monday.  This patch causes Samba to increment the failed logon count 
via pam_tally.so, when you are using PAM, and encrypted passwords for 
Samba.

Here is the patch again, against the Samba 2.2.7 source tree:

diff -r samba-2.2.7.orig/source/smbd/password.c 
samba-2.2.7/source/smbd/password.c
617a618,624
> #if defined(WITH_PAM)
> 		// Jim Morris, 12/03/2002. UGLY HACK TO FORCE PAM_TALLY COUNTER TO
> 		// BE UPDATED WHEN LOGON FAILS USING SMBPASSWD FILE.
> 		if (lp_obey_pam_restrictions() && (ret == FALSE))
> 			smb_pam_passcheck( user, password );
> #endif
>

Basically, the trick is to call the PAM password check with a bad 
password after the encrypted Samba password verification fails.

I have most PAM services setup to use the system-auth service, which is 
where I have configured pam_tally.  Here's my /etc/pam.d/system-auth 
file:

#%PAM-1.0
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so
auth        required      /lib/security/pam_tally.so no_magic_root 
deny=3 reset
account     required      /lib/security/pam_unix.so
account     required      /lib/security/pam_tally.so no_magic_root 
deny=3 reset
password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok 
md5 shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

Yours may be different if the Unix accounts are authenticated against 
an LDAP server!

Here's /etc/pam.d/samba:

%PAM-1.0
auth       required     pam_nologin.so
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
password   required     pam_smbpass.so use_authtok use_first_pass

I hope this information helps!
  --
Jim Morris (Jim at Morris-World.com)

More information about the samba mailing list