Bug 40328 - badPwdCount increased by 2
badPwdCount increased by 2
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.1
Other Linux
: P2 normal (vote)
: UCS 4.1-1-errata
Assigned To: Arvid Requate
Stefan Gohmann
https://bugzilla.samba.org/show_bug.c...
:
Depends on:
Blocks: 40852 40680 40847
  Show dependency treegraph
 
Reported: 2015-12-22 14:52 CET by Arvid Requate
Modified: 2016-03-08 17:06 CET (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-12-22 14:52:11 CET
Ticket#: 2015122221000271 reports that badPwdCount increases by 2 when a bad password is entered at the Windows login password prompt. Same with kinit.


+++ This bug was initially created as a clone of Bug #34156 +++
Comment 1 Arvid Requate univentionstaff 2015-12-23 12:32:02 CET
Confirmed for UCS 4.0-4 errata 377:
======================================================================
root@master50:~# samba-tool domain passwordsettings set \
  --account-lockout-threshold=3 \
  --account-lockout-duration=5 \
  --reset-account-lockout-after=1
Account lockout duration changed!
Account lockout threshold changed!
Duration to reset account lockout after changed!
All changes applied successfully!

root@master50:~# udm users/user create --set username=user1 \
                    --set lastname=name1 --set password=univention
Object created: uid=user1,dc=ar40i1,dc=qa

root@master50:~# univention-s4search samaccountname=user1 > 1
root@master50:~# kinit
user1@AR40I1.QA's Password: 
kinit: Password incorrect
root@master50:~# univention-s4search samaccountname=user1 > 2
root@master50:~# diff 1 2
16d15
< badPwdCount: 0
19d17
< badPasswordTime: 0
33a32,33
> badPwdCount: 2
> badPasswordTime: 130614835027791190
======================================================================

I guess it's kerberos related, because smbclient only increases by 1:
======================================================================
root@master50:~# smbclient //master50/sysvol -U user1%univention -c showconnect
Domain=[AR40I1] OS=[Windows 6.1] Server=[Samba 4.2.3-Debian]
//master50/sysvol
root@master50:~# univention-s4search samaccountname=user1 > 3

root@master50:~# smbclient //master50/sysvol -U user1%wrongpw -c showconnect
session setup failed: NT_STATUS_LOGON_FAILURE
root@master50:~# univention-s4search samaccountname=user1 > 4
root@master50:~# diff 3 4
32,33c32,33
< badPasswordTime: 130614836658021070
< badPwdCount: 0
---
> badPwdCount: 1
> badPasswordTime: 130614839694013300
======================================================================
Comment 2 Stefan Gohmann univentionstaff 2015-12-29 10:55:56 CET
We are currently unable to reproduce it.
Comment 3 Stefan Gohmann univentionstaff 2015-12-29 13:16:42 CET
I was able to reproduce it with Samba 4.3.3 (current UCS 4.1-0-errata scope). I've uploaded Samba debug and a tcpdump network trace to the Samba upstream bug:
 
 https://bugzilla.samba.org/show_bug.cgi?id=11539
Comment 4 Arvid Requate univentionstaff 2016-01-07 20:08:44 CET
Interestingly this issue started to appear in UCS 4.0-4, maybe due to Bug 39244.
In UCS 4.0-3 erratalevel 285 the badPwdCount properly increases by 1.

I checked: The 0098-s4-badPwdCount patch hunks we applied to out system Heimdal are also in the Samba 4.2.3 builtin Heimdal. Yet, the same Samba version differs in behaviour when built against the builtin Heimdal.
Comment 5 Arvid Requate univentionstaff 2016-01-15 10:34:24 CET
Package has been built with 99_fix_badPwdCount_increase_by_2.patch,
continuing with tests.
Comment 6 Arvid Requate univentionstaff 2016-01-15 10:54:18 CET
Advisory: samba.yaml
Comment 7 Philipp Hahn univentionstaff 2016-01-16 15:41:34 CET
(In reply to Arvid Requate from comment #5)
> Package has been built with 99_fix_badPwdCount_increase_by_2.patch,
> continuing with tests.

winexe is missing again - Jenkins-S4-Slave is stuck again
Comment 8 Philipp Hahn univentionstaff 2016-01-16 15:43:30 CET
Package: winexe
Version: 2.0.1-1.43.201601161542
Branch: ucs_4.1-0
Scope: errata4.1-0
Comment 9 Stefan Gohmann univentionstaff 2016-01-18 06:59:44 CET
(In reply to Arvid Requate from comment #5)
> Package has been built with 99_fix_badPwdCount_increase_by_2.patch,
> continuing with tests.

I'm note sure if these changes are the reason but the Jenkins tests fail since Friday. For example the member server join into a Samba 4 domain:
--------------------------------------------------------------------------------
Setting stored password for "cn=member097,cn=memberserver,cn=computers,dc=autotest097,dc=local" in secrets.tdb
setting idmap secret for '*' from /etc/machine.secret
Secret stored
Stopping Samba daemons: nmbd smbd.
Starting Samba daemons: nmbd smbd.
Create kerberos/defaults/dns_lookup_kdc
Create kerberos/kdc
File: /etc/krb5.conf
Object modified: cn=member097,cn=memberserver,cn=computers,dc=autotest097,dc=local
kerberos_kinit_password Administrator@AUTOTEST097.LOCAL failed: Additional pre-authentication required
Failed to join domain: failed to connect to AD: Additional pre-authentication required
kerberos_kinit_password Administrator@AUTOTEST097.LOCAL failed: Additional pre-authentication required
Failed to join domain: failed to connect to AD: Additional pre-authentication required
Failed to join domain: Invalid configuration ("workgroup" set to 'AUTOTEST097', should be 'MEMBER097'"realm" set to 'AUTOTEST097.LOCAL', should be '(null)'"security" set to 'ads', should be 'domain') and configuration modification was not requested
ERROR: Failed to join via net ads join. Please check your Samba DCs and your DNS and WINS configuration.
Sun Jan 17 18:20:09 EST 2016: finish /usr/share/univention-join/univention-join
--------------------------------------------------------------------------------
http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-0/job/Autotest%20MultiEnv/SambaVersion=s4,Systemrolle=member/ws/join.log
Comment 10 Arvid Requate univentionstaff 2016-02-16 19:56:47 CET
The package has bee rebuilt with the updated patch. Windows client test and UCS Memberserver join have been successful.

Advisory: samba.yaml
Comment 11 Stefan Gohmann univentionstaff 2016-02-18 10:17:40 CET
Should it be moved to 4.1-1-errata?
Comment 12 Arvid Requate univentionstaff 2016-02-18 13:42:53 CET
Target milestone adjusted. Package had been built in errata4.1-1 already. I also initiated the winexe build now in that scope.
Comment 13 Stefan Gohmann univentionstaff 2016-03-07 20:41:24 CET
Tests: OK (At least it works for Windows client. kinit results in a +2 but it seems to be a Heimdal kinit bug)

ucs-test / Jenkins: OK

YAML: OK

I've created a new bug against ucs-test: Bug #40852.
Comment 14 Janek Walkenhorst univentionstaff 2016-03-08 17:06:11 CET
<http://errata.software-univention.de/ucs/4.1/124.html>