Univention Bugzilla – Bug 40328
badPwdCount increased by 2
Last modified: 2021-03-14 20:48:15 CET
Ticket#: 2015122221000271 reports that badPwdCount increases by 2 when a bad password is entered at the Windows login password prompt. Same with kinit. +++ This bug was initially created as a clone of Bug #34156 +++
Confirmed for UCS 4.0-4 errata 377: ====================================================================== root@master50:~# samba-tool domain passwordsettings set \ --account-lockout-threshold=3 \ --account-lockout-duration=5 \ --reset-account-lockout-after=1 Account lockout duration changed! Account lockout threshold changed! Duration to reset account lockout after changed! All changes applied successfully! root@master50:~# udm users/user create --set username=user1 \ --set lastname=name1 --set password=univention Object created: uid=user1,dc=ar40i1,dc=qa root@master50:~# univention-s4search samaccountname=user1 > 1 root@master50:~# kinit user1@AR40I1.QA's Password: kinit: Password incorrect root@master50:~# univention-s4search samaccountname=user1 > 2 root@master50:~# diff 1 2 16d15 < badPwdCount: 0 19d17 < badPasswordTime: 0 33a32,33 > badPwdCount: 2 > badPasswordTime: 130614835027791190 ====================================================================== I guess it's kerberos related, because smbclient only increases by 1: ====================================================================== root@master50:~# smbclient //master50/sysvol -U user1%univention -c showconnect Domain=[AR40I1] OS=[Windows 6.1] Server=[Samba 4.2.3-Debian] //master50/sysvol root@master50:~# univention-s4search samaccountname=user1 > 3 root@master50:~# smbclient //master50/sysvol -U user1%wrongpw -c showconnect session setup failed: NT_STATUS_LOGON_FAILURE root@master50:~# univention-s4search samaccountname=user1 > 4 root@master50:~# diff 3 4 32,33c32,33 < badPasswordTime: 130614836658021070 < badPwdCount: 0 --- > badPwdCount: 1 > badPasswordTime: 130614839694013300 ======================================================================
We are currently unable to reproduce it.
I was able to reproduce it with Samba 4.3.3 (current UCS 4.1-0-errata scope). I've uploaded Samba debug and a tcpdump network trace to the Samba upstream bug: https://bugzilla.samba.org/show_bug.cgi?id=11539
Interestingly this issue started to appear in UCS 4.0-4, maybe due to Bug 39244. In UCS 4.0-3 erratalevel 285 the badPwdCount properly increases by 1. I checked: The 0098-s4-badPwdCount patch hunks we applied to out system Heimdal are also in the Samba 4.2.3 builtin Heimdal. Yet, the same Samba version differs in behaviour when built against the builtin Heimdal.
Package has been built with 99_fix_badPwdCount_increase_by_2.patch, continuing with tests.
Advisory: samba.yaml
(In reply to Arvid Requate from comment #5) > Package has been built with 99_fix_badPwdCount_increase_by_2.patch, > continuing with tests. winexe is missing again - Jenkins-S4-Slave is stuck again
Package: winexe Version: 2.0.1-1.43.201601161542 Branch: ucs_4.1-0 Scope: errata4.1-0
(In reply to Arvid Requate from comment #5) > Package has been built with 99_fix_badPwdCount_increase_by_2.patch, > continuing with tests. I'm note sure if these changes are the reason but the Jenkins tests fail since Friday. For example the member server join into a Samba 4 domain: -------------------------------------------------------------------------------- Setting stored password for "cn=member097,cn=memberserver,cn=computers,dc=autotest097,dc=local" in secrets.tdb setting idmap secret for '*' from /etc/machine.secret Secret stored Stopping Samba daemons: nmbd smbd. Starting Samba daemons: nmbd smbd. Create kerberos/defaults/dns_lookup_kdc Create kerberos/kdc File: /etc/krb5.conf Object modified: cn=member097,cn=memberserver,cn=computers,dc=autotest097,dc=local kerberos_kinit_password Administrator@AUTOTEST097.LOCAL failed: Additional pre-authentication required Failed to join domain: failed to connect to AD: Additional pre-authentication required kerberos_kinit_password Administrator@AUTOTEST097.LOCAL failed: Additional pre-authentication required Failed to join domain: failed to connect to AD: Additional pre-authentication required Failed to join domain: Invalid configuration ("workgroup" set to 'AUTOTEST097', should be 'MEMBER097'"realm" set to 'AUTOTEST097.LOCAL', should be '(null)'"security" set to 'ads', should be 'domain') and configuration modification was not requested ERROR: Failed to join via net ads join. Please check your Samba DCs and your DNS and WINS configuration. Sun Jan 17 18:20:09 EST 2016: finish /usr/share/univention-join/univention-join -------------------------------------------------------------------------------- http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-0/job/Autotest%20MultiEnv/SambaVersion=s4,Systemrolle=member/ws/join.log
The package has bee rebuilt with the updated patch. Windows client test and UCS Memberserver join have been successful. Advisory: samba.yaml
Should it be moved to 4.1-1-errata?
Target milestone adjusted. Package had been built in errata4.1-1 already. I also initiated the winexe build now in that scope.
Tests: OK (At least it works for Windows client. kinit results in a +2 but it seems to be a Heimdal kinit bug) ucs-test / Jenkins: OK YAML: OK I've created a new bug against ucs-test: Bug #40852.
<http://errata.software-univention.de/ucs/4.1/124.html>