[Samba] samba bad password count reset between logins (not loaded from login_cache.tdb)
Denis Cardon
dcardon at tranquil.it
Thu Sep 21 09:58:57 UTC 2017
Hi Daryl,
> I recently migrated our samba PDC to an LDAP backend on a test machine.
> Testing my account policies, I found out that the password lockout did not
> work.
bad password lockout works fine in Samba AD mode. Is there a technical
reason for you to keep on using PDC NT4 mode? In AD mode, you'll also
get a LDAP, and it will be much easier to setup and manage!
By the way, it is not necessary to be in PDC LDAP backend to migration
to Samba AD.
Cheers,
Denis
> When authentication fail, samba seems to call init_ldap_from_sam asking to
> update the bad password count.
>
> When I set the lockout threshold to 1, the account is locked after a failed
> attempt and the badPasswordCount attribute is updated correctly (e.g. set to
> 1), as expected from the init_ldap_from_sam definition.
> When the threshold>1, the cache seems to be updated via login_cache_write,
> but the next time I try to login, the badPasswordCount is reset to 0. I
> suspect the cache is ignored for some reason?
>
> Here's the relevant part of the logs (/var/log/samba/log.smbd):
> #
> ## with policy=4 (same every time a user fails a password, even if he failed
> 10 times previous)
> #
> [2017/09/19 13:27:17.589773, 3]
> ../source3/passdb/pdb_ldap.c:1376(init_ldap_from_sam)
> updating bad password fields, policy=4, count=1, time=1505842037
> [2017/09/19 13:27:17.589777, 7]
> ../source3/passdb/pdb_ldap.c:1416(init_ldap_from_sam)
> Updating bad password count and time in login cache
> [2017/09/19 13:27:17.589783, 5]
> ../source3/passdb/login_cache.c:47(login_cache_init)
> Opening cache file at /var/lib/samba/login_cache.tdb
> [2017/09/19 13:27:17.589818, 4]
> ../source3/passdb/pdb_ldap.c:1904(ldapsam_update_sam_account)
> ldapsam_update_sam_account: mods is empty: nothing to update for user:
> dachouinard
> [2017/09/19 13:27:17.589827, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
>
> #
> ## with policy = 1 (account is locked and badPasswordCount=1 after
> #
> [2017/09/19 13:22:43.480284, 3]
> ../source3/passdb/pdb_ldap.c:1376(init_ldap_from_sam)
> updating bad password fields, policy=1, count=1, time=1505841763
> [2017/09/19 13:22:43.480297, 5]
> ../source3/passdb/login_cache.c:47(login_cache_init)
> Opening cache file at /var/lib/samba/login_cache.tdb
> [2017/09/19 13:22:43.480334, 5]
> ../source3/lib/smbldap.c:1435(smbldap_modify)
> smbldap_modify: dn => [uid=dachouinard,ou=people,dc=basedc]
> [2017/09/19 13:22:43.524433, 2]
> ../source3/passdb/pdb_ldap.c:1935(ldapsam_update_sam_account)
> [2017/09/19 14:29:47.435922, 6]
> ../source3/param/loadparm.c:2307(lp_file_list_changed)
> lp_file_list_changed()
> file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Tue Sep 19
> 14:08:03 2017
>
> #
> ## full login log:
> #
> [2017/09/19 14:38:25.611744, 4]
> ../source3/param/loadparm.c:3864(lp_load_ex)
> pm_process() returned Yes
> [2017/09/19 14:38:25.611760, 3]
> ../source3/param/loadparm.c:1592(lp_add_ipc)
> adding IPC service
> [2017/09/19 14:38:25.611810, 5]
> ../source3/auth/auth_util.c:123(make_user_info_map)
> Mapping user [LOCALDOMAIN]\[dachouinard] from workstation [GE1]
> [2017/09/19 14:38:25.611824, 5]
> ../source3/auth/auth_util.c:144(make_user_info_map)
> Mapped domain from [LOCALDOMAIN] to [GE1] for user [dachouinard] from
> workstation [GE1]
> [2017/09/19 14:38:25.611830, 5]
> ../source3/auth/user_info.c:62(make_user_info)
> attempting to make a user_info for dachouinard (dachouinard)
> [2017/09/19 14:38:25.611835, 5]
> ../source3/auth/user_info.c:70(make_user_info)
> making strings for dachouinard's user_info struct
> [2017/09/19 14:38:25.611840, 5]
> ../source3/auth/user_info.c:108(make_user_info)
> making blobs for dachouinard's user_info struct
> [2017/09/19 14:38:25.611845, 3]
> ../source3/auth/auth.c:178(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> [LOCALDOMAIN]\[dachouinard]@[GE1] with the new password interface
> [2017/09/19 14:38:25.611850, 3]
> ../source3/auth/auth.c:181(auth_check_ntlm_password)
> check_ntlm_password: mapped user is: [GE1]\[dachouinard]@[GE1]
> [2017/09/19 14:38:25.611854, 5] ../lib/util/util.c:555(dump_data)
> [0000] 44 F5 5E 65 01 EE 91 2D D.^e...-
> [2017/09/19 14:38:25.611873, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.611878, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> [2017/09/19 14:38:25.611882, 4]
> ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.611887, 5]
> ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2017/09/19 14:38:25.611891, 5]
> ../source3/auth/token_util.c:640(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2017/09/19 14:38:25.611951, 5]
> ../source3/lib/smbldap.c:1249(smbldap_search_ext)
> smbldap_search_ext: base => [dc=basedc], filter =>
> [(&(uid=dachouinard)(objectclass=sambaSamAccount))], scope => [2]
> [2017/09/19 14:38:25.611969, 5]
> ../source3/lib/smbldap.c:1114(smbldap_close)
> The connection to the LDAP server was closed
> [2017/09/19 14:38:25.612023, 2]
> ../source3/lib/smbldap.c:794(smbldap_open_connection)
> smbldap_open_connection: connection opened
> [2017/09/19 14:38:25.615980, 3]
> ../source3/lib/smbldap.c:1013(smbldap_connect_system)
> ldap_connect_system: successful connection to the LDAP server
> [2017/09/19 14:38:25.616004, 4] ../source3/lib/smbldap.c:1092(smbldap_open)
> The LDAP server is successfully connected
> [2017/09/19 14:38:25.695848, 2]
> ../source3/passdb/pdb_ldap.c:524(init_sam_from_ldap)
> init_sam_from_ldap: Entry found for user: dachouinard
> [2017/09/19 14:38:25.695896, 4]
> ../source3/lib/substitute.c:435(automount_server)
> Home server: ge1
> [2017/09/19 14:38:25.695912, 4]
> ../source3/lib/substitute.c:435(automount_server)
> Home server: ge1
> [2017/09/19 14:38:25.695930, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
> [2017/09/19 14:38:25.695936, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.695940, 4]
> ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
> [2017/09/19 14:38:25.695945, 5]
> ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2017/09/19 14:38:25.695949, 5]
> ../source3/auth/token_util.c:640(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2017/09/19 14:38:25.731783, 5]
> ../source3/lib/smbldap.c:1249(smbldap_search_ext)
> smbldap_search_ext: base => [sambaDomainName=ge1,ou=samba,dc=basedc],
> filter => [(objectClass=sambaDomain)], scope => [0]
> [2017/09/19 14:38:25.732256, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.732325, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
> [2017/09/19 14:38:25.732332, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.732336, 4]
> ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
> [2017/09/19 14:38:25.732341, 5]
> ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2017/09/19 14:38:25.732346, 5]
> ../source3/auth/token_util.c:640(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2017/09/19 14:38:25.732358, 5]
> ../source3/lib/smbldap.c:1249(smbldap_search_ext)
> smbldap_search_ext: base => [ou=people,dc=basedc], filter =>
> [(&(objectClass=sambaSamAccount)(|(sambaSid=S-1-0-0-3001)))], scope => [2]
> [2017/09/19 14:38:25.756370, 5]
> ../source3/lib/smbldap.c:1249(smbldap_search_ext)
> smbldap_search_ext: base => [dc=basedc], filter =>
> [(&(objectClass=sambaGroupMapping)(|(sambaSid=S-1-0-0-3001)))], scope => [2]
> [2017/09/19 14:38:25.783357, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.783411, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
> [2017/09/19 14:38:25.783418, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.783423, 4]
> ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
> [2017/09/19 14:38:25.783427, 5]
> ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2017/09/19 14:38:25.783431, 5]
> ../source3/auth/token_util.c:640(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2017/09/19 14:38:25.783443, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.783461, 4]
> ../source3/lib/substitute.c:435(automount_server)
> Home server: ge1
> [2017/09/19 14:38:25.783471, 4]
> ../source3/lib/substitute.c:435(automount_server)
> Home server: ge1
> [2017/09/19 14:38:25.783477, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
> [2017/09/19 14:38:25.783481, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.783485, 4]
> ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
> [2017/09/19 14:38:25.783488, 5]
> ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2017/09/19 14:38:25.783491, 5]
> ../source3/auth/token_util.c:640(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2017/09/19 14:38:25.783500, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.783513, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2017/09/19 14:38:25.783521, 4]
> ../libcli/auth/ntlm_check.c:358(ntlm_password_check)
> ntlm_password_check: Checking NTLMv2 password with domain [LOCALDOMAIN]
> [2017/09/19 14:38:25.783538, 4]
> ../libcli/auth/ntlm_check.c:372(ntlm_password_check)
> ntlm_password_check: Checking NTLMv2 password with uppercased version of
> domain [LOCALDOMAIN]
> [2017/09/19 14:38:25.783545, 4]
> ../libcli/auth/ntlm_check.c:385(ntlm_password_check)
> ntlm_password_check: Checking NTLMv2 password without a domain
> [2017/09/19 14:38:25.783551, 3]
> ../libcli/auth/ntlm_check.c:397(ntlm_password_check)
> ntlm_password_check: NTLMv2 password check failed
> [2017/09/19 14:38:25.783555, 3]
> ../libcli/auth/ntlm_check.c:442(ntlm_password_check)
> ntlm_password_check: Lanman passwords NOT PERMITTED for user dachouinard
> [2017/09/19 14:38:25.783558, 4]
> ../libcli/auth/ntlm_check.c:479(ntlm_password_check)
> ntlm_password_check: Checking LMv2 password with domain LOCALDOMAIN
> [2017/09/19 14:38:25.783564, 4]
> ../libcli/auth/ntlm_check.c:508(ntlm_password_check)
> ntlm_password_check: Checking LMv2 password with upper-cased version of
> domain LOCALDOMAIN
> [2017/09/19 14:38:25.783570, 4]
> ../libcli/auth/ntlm_check.c:536(ntlm_password_check)
> ntlm_password_check: Checking LMv2 password without a domain
> [2017/09/19 14:38:25.783576, 4]
> ../libcli/auth/ntlm_check.c:567(ntlm_password_check)
> ntlm_password_check: Checking NT MD4 password in LM field
> [2017/09/19 14:38:25.783579, 3]
> ../libcli/auth/ntlm_check.c:588(ntlm_password_check)
> ntlm_password_check: LM password and LMv2 failed for user dachouinard, and
> NT MD4 password in LM field not permitted
> [2017/09/19 14:38:25.783586, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.783590, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> [2017/09/19 14:38:25.783594, 4]
> ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.783597, 5]
> ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2017/09/19 14:38:25.783601, 5]
> ../source3/auth/token_util.c:640(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2017/09/19 14:38:25.783609, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2017/09/19 14:38:25.783613, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.783617, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> [2017/09/19 14:38:25.783620, 4]
> ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.783623, 5]
> ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2017/09/19 14:38:25.783629, 5]
> ../source3/auth/token_util.c:640(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2017/09/19 14:38:25.783634, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
> [2017/09/19 14:38:25.783638, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.783641, 4]
> ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
> [2017/09/19 14:38:25.783644, 5]
> ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2017/09/19 14:38:25.783648, 5]
> ../source3/auth/token_util.c:640(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2017/09/19 14:38:25.783664, 5]
> ../source3/lib/smbldap.c:1249(smbldap_search_ext)
> smbldap_search_ext: base => [sambaDomainName=ge1,ou=samba,dc=basedc],
> filter => [(objectClass=sambaDomain)], scope => [0]
> [2017/09/19 14:38:25.809734, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.809752, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2017/09/19 14:38:25.809837, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.809844, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> [2017/09/19 14:38:25.809848, 4]
> ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.809853, 5]
> ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2017/09/19 14:38:25.809856, 5]
> ../source3/auth/token_util.c:640(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2017/09/19 14:38:25.809872, 4]
> ../source3/passdb/pdb_ldap.c:1890(ldapsam_update_sam_account)
> ldapsam_update_sam_account: user dachouinard to be modified has dn:
> uid=dachouinard,ou=people,dc=basedc
> [2017/09/19 14:38:25.809880, 2]
> ../source3/passdb/pdb_ldap.c:1138(init_ldap_from_sam)
> init_ldap_from_sam: Setting entry for user: dachouinard
> [2017/09/19 14:38:25.809888, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
> [2017/09/19 14:38:25.809892, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.809895, 4]
> ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
> [2017/09/19 14:38:25.809898, 5]
> ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2017/09/19 14:38:25.809902, 5]
> ../source3/auth/token_util.c:640(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2017/09/19 14:38:25.809913, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2017/09/19 14:38:25.809917, 3]
> ../source3/passdb/pdb_ldap.c:1376(init_ldap_from_sam)
> updating bad password fields, policy=4, count=1, time=1505846305
> [2017/09/19 14:38:25.809921, 7]
> ../source3/passdb/pdb_ldap.c:1416(init_ldap_from_sam)
> Updating bad password count and time in login cache #
> <------------------------------------------------------------------------
> (only if lockout threshold > 1)
> [2017/09/19 14:38:25.809928, 5]
> ../source3/passdb/login_cache.c:47(login_cache_init)
> Opening cache file at /var/lib/samba/login_cache.tdb
> [2017/09/19 14:38:25.809964, 4]
> ../source3/passdb/pdb_ldap.c:1904(ldapsam_update_sam_account)
> ldapsam_update_sam_account: mods is empty: nothing to update for user:
> dachouinard
> [2017/09/19 14:38:25.809973, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
>
> #
> ## my smb.conf:
> #
> [global]
> workgroup = localdomain
> netbios name = GE1
> server string = GE1
> #
> security = user
> #
> passdb backend = ldapsam:"ldap://localhost"
> ldap suffix = dc=basedc
> ldap user suffix = ou=people
> ldap group suffix = ou=groups
> ldap admin dn = "cn=samba, dc=basedc"
> ldap ssl = Off
> # speedup, ignore NSS
> ldapsam:trusted = yes
> ########
> domain master = yes
> local master = yes
> preferred master = yes
> ##
> log level = 7
>
> [homes]
> comment = Home
> valid users = %S
> read only = No
> create mask = 0770
> browseable = No
>
> ##
>
> Am I doing something wrong, is there a way to keep the bad password count in
> between logins? The login cache (/var/lib/samba/login_cache.tdb) seems to be
> ignored.
>
> tdbtool
>> open login_cache.tdb
>> keys
> key 12 bytes: dachouinard
>> dump
> [000] 76 64 C1 59 10 00 01 00 76 64 C1 59 vd.Y... vd.Y
>
> I am on CentOS 7.4 running samba 4.6.2
> I tested and have same issue with the latest git (4.8.0pre1-GIT-ee4418e)
>
>
> Hopefully this is the right place to inquire about this.
>
> Your assistance is very appreciated
>
>
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list