[Samba] Locking user accounts
Jim at Morris-World.com
Thu Dec 5 14:33:49 GMT 2002
On Thursday, December 5, 2002, at 06:59 AM, Martijn van Brummelen
> At this moment I am running a samba-ldap-pdc.
> This works really good. But what worries me is the following thing:
> user accounts never get locked. This is a problem cause anyone can
> guess or
> use bruteforce to enter password. Is there a solution/workaround for
> I want the following situation : when a user tries to logon for 4
> times I
> want the account to lock out the account. Winnt disables the account
> several minutes and then the account is locked out.
This subject has come up several times in the past couple of weeks. I
just went down this road myself actually.
Samba has no built in facility for accomplishing what you need.
However, if you are familiar with PAM, there is a PAM module
(pam_tally) that is specifically for locking out an account after a
specified number of failed logon attempts. (A successful logon resets
the count to zero any time before the limit is reached).
If you have configured Samba with 'obey pam restrictions = yes' in the
smb.conf file, Samba will fail the logon once pam_tally's retry limit
is reached. However, the kicker is that if you are using encrypted
passwords with Samba, the password lookup is not done via PAM - just
the account verification. So a bad logon attempt via Samba does not
increment the failed logon counter.
The solution to this is in a 2 line patch to the Samba 2.2.7 source
code, which I posted to the samba-technical mailing list this past
Monday. This patch causes Samba to increment the failed logon count
via pam_tally.so, when you are using PAM, and encrypted passwords for
Here is the patch again, against the Samba 2.2.7 source tree:
diff -r samba-2.2.7.orig/source/smbd/password.c
> #if defined(WITH_PAM)
> // Jim Morris, 12/03/2002. UGLY HACK TO FORCE PAM_TALLY COUNTER TO
> // BE UPDATED WHEN LOGON FAILS USING SMBPASSWD FILE.
> if (lp_obey_pam_restrictions() && (ret == FALSE))
> smb_pam_passcheck( user, password );
Basically, the trick is to call the PAM password check with a bad
password after the encrypted Samba password verification fails.
I have most PAM services setup to use the system-auth service, which is
where I have configured pam_tally. Here's my /etc/pam.d/system-auth
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
auth required /lib/security/pam_tally.so no_magic_root
account required /lib/security/pam_unix.so
account required /lib/security/pam_tally.so no_magic_root
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
Yours may be different if the Unix accounts are authenticated against
an LDAP server!
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
password required pam_smbpass.so use_authtok use_first_pass
I hope this information helps!
Jim Morris (Jim at Morris-World.com)
More information about the samba