Univention Bugzilla – Bug 52893
ppolicy password lockout sometimes doesn't trigger Samba/AD password lockout
Last modified: 2023-01-05 08:31:27 CET
If a user is locked out due to too many login attempts, Kerberos ignores it. This results in the password security policy not taking effect with Kerberos. So a brute-force attack is still possible.
Could you elaborate? In Samba/AD domains the KDC is actually provided by Samba, so this would be a bug in Samba, not in vanilla Heimdal KDC. I'll change the Bug component accordingly.
Ok, I in my manual tests I could trigger a timing issue between OpenLDAP/ppolicy lockout and the S4-Connector: * S4-Connector sync-ping-pong-timing may leave sambaAcctFlags unlocked. This depends on the timing of the failing LDAP bind attempts. The test protocol below (Test case 4) shows the good, intended behavior, but I'll attach a script that shows (in the code) how the timing can be changed to trigger the Bug. In my pretty extensive manual tests I observed this situation: * Lockout via LDAP-bind/ppolicy also triggers UDM lockout and is synchronized to Samba/AD (Kerberos & SMB logon) via S4-Connector * Lockout via Samba/AD (Kerberos & SMB logon) synchronizes the lockout state to OpenLDAP sambaAcctFlags, which correctly shows the account as locked in UMC/UDM But: The S4-Connector doesn't yet attempt to also lock the account for ppolicy/LDAP-binds, So LDAP simple bind is not locked then. -> Bug 52902 * UDM password lockout (triggered either via LDAP-simplebind/ppolicy or Samba/AD) doesn't lockout PAM based authentication -> Bug 52892 * badPwdCount is incremented by steps of 2: Looks similar to Bug #40328 Note: Depending on the actualy usecase of login flow there are several combinations to test: I) Lockout triggered by a) failed user login against Samba/AD (SMB or Kerberos) b) failed user login against OpenLDAP/UDM (ldapbind or UDM) c) failed user login against PAM (e.g. UMC or ssh) d) failed user login against SAML II) Unlock triggered a) by good user login against Samba/AD (SMB or Kerberos) b) by good user login against OpenLDAP/UDM (ldapbind or UDM) c) by good user login against PAM (e.g. UMC or ssh) d) by good user login against SAML e) by admin (via UMC/UDM) I only checked I.a)-I.c) and matching II.a)-II.c) here: ================================================== ### Test protocol: root@dc0:~# lsb_release -r Release: 4.4-7 errata907 # Samba/AD Domain Password policy: root@dc0:~# samba-tool domain passwordsettings show Password informations for domain 'DC=samltest,DC=intranet' Password complexity: on Store plaintext passwords: off Password history length: 0 Minimum password length: 8 Minimum password age (days): 0 Maximum password age (days): 0 Account lockout duration (mins): 5 Account lockout threshold (attempts): 5 Reset account lockout after (mins): 5 # UCS faillog/pam_tally policy: root@dc0:~# ucr search --brief faillog auth/faillog/limit: <empty> auth/faillog/lock_global: yes auth/faillog/root: <empty> auth/faillog/unlock_time: 300 auth/faillog: yes # UCS ppolicy config: root@dc0:~# ucr search --brief ppolicy ldap/ppolicy/default: <empty> ldap/ppolicy/enabled: yes ldap/ppolicy: yes root@dc0:~# univention-ldapsearch -LLL \ -b "cn=default,cn=ppolicy,cn=univention,dc=samltest,dc=intranet" \ -s base pwdLockout pwdMaxFailure pwdLockoutDuration pwdFailureCountInterval dn: cn=default,cn=ppolicy,cn=univention,dc=samltest,dc=intranet pwdLockout: TRUE pwdMaxFailure: 5 pwdLockoutDuration: 300 pwdFailureCountInterval: 300 ### Test 1) Trigger lockout via SMB logon # 1.1 Check account is ok: root@dc0:~# ldapsearch -LLL -D uid=user1,cn=users,dc=samltest,dc=intranet -w univention uid=user1 1.1 dn: uid=user1,cn=users,dc=samltest,dc=intranet root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser1%univention -c showconnect //dc0.samltest.intranet/sysvol ## SMB Logon works root@dc0:~# echo -n univention | kinit --password-file=STDIN user1 && echo ok ok root@dc0:~# kdestroy root@dc0:~# univention-ldapsearch -LLL uid=user1 \ userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64 dn: uid=user1,cn=users,dc=samltest,dc=intranet sambaBadPasswordCount: 0 userPassword: {crypt}$6$... krb5KDCFlags: 126 sambaAcctFlags: [U ] sambaBadPasswordTime: 0 root@dc0:~# univention-s4search samaccountname=user1 | egrep '^(badPwdCount|userAccountControl|lockoutTime): ' userAccountControl: 512 badPwdCount: 0 lockoutTime: 0 root@dc0:~# pam_tally --user user1 User user1 (2014) has 0 # 1.2 Trigger lockout via SMB root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser1%wrong -c showconnect session setup failed: NT_STATUS_LOGON_FAILURE root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser1%wrong -c showconnect session setup failed: NT_STATUS_LOGON_FAILURE root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser1%wrong -c showconnect session setup failed: NT_STATUS_ACCOUNT_LOCKED_OUT root@dc0:~# univention-s4search samaccountname=user1 | egrep '^(badPwdCount|userAccountControl|lockoutTime): ' userAccountControl: 512 badPwdCount: 5 lockoutTime: 132601065227525280 ## locked root@dc0:~# udm users/user list --filter username=user1 | egrep "^ +locked:" locked: 1 root@dc0:~# univention-ldapsearch -LLL uid=user1 \ userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64 dn: uid=user1,cn=users,dc=samltest,dc=intranet sambaBadPasswordCount: 0 userPassword: {crypt}$6$... krb5KDCFlags: 126 sambaAcctFlags: [UL ] ## Locked for UMC/UDM sambaBadPasswordTime: 132601065227525280 ## Note: ppolicy attributes are not set here # 1.3 Check Kerberos: root@dc0:~# echo -n univention | kinit --password-file=STDIN user1 kinit: krb5_get_init_creds: No PKINIT PA found # Check SMB Logon: root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser2%univention -c showconnect session setup failed: NT_STATUS_ACCOUNT_LOCKED_OUT ## Bug 52902: LDAP simple bind is still possible: root@dc0:~# ldapsearch -LLL -D uid=user1,cn=users,dc=samltest,dc=intranet -w univention uid=user1 1.1 dn: uid=user1,cn=users,dc=samltest,dc=intranet ## Bug 52892: PAM authentication is still possible: root@dc0:~# pam_tally --user user1 User user1 (2014) has 0 ## But the account is shown es locked in UDM: root@dc0:~# udm users/user list --filter username=user1 | egrep "^ +locked:" locked: 1 ### Test 2) Trigger lockout via Kerberos: ## 2.1 Check account is ok: root@dc0:~# ldapsearch -LLL -D uid=user2,cn=users,dc=samltest,dc=intranet -w univention uid=user2 1.1 dn: uid=user2,cn=users,dc=samltest,dc=intranet root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser2%univention -c showconnect && echo ok //dc0.samltest.intranet/sysvol ## SMB Logon works ok root@dc0:~# echo -n univention | kinit --password-file=STDIN user2 && echo ok ok root@dc0:~# kdestroy root@dc0:~# univention-ldapsearch -LLL uid=user2 \ userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64 dn: uid=user2,cn=users,dc=samltest,dc=intranet sambaBadPasswordCount: 0 userPassword: {crypt}$6$... krb5KDCFlags: 126 sambaAcctFlags: [U ] sambaBadPasswordTime: 0 root@dc0:~# univention-s4search samaccountname=user2 | egrep '^(badPwdCount|userAccountControl|lockoutTime): ' userAccountControl: 512 lockoutTime: 0 badPwdCount: 0 root@dc0:~# pam_tally --user user2 User user2 (2015) has 0 ## 2.2 Trigger lockout via Kerberos root@dc0:~# echo -n wrong | kinit --password-file=STDIN user2 kinit: Password incorrect root@dc0:~# univention-s4search samaccountname=user2 | egrep '^(badPwdCount|userAccountControl|lockoutTime): ' userAccountControl: 512 lockoutTime: 0 badPwdCount: 2 ## Bug: badPwdCount increased by 2: Looks similar to Bug #40328 root@dc0:~# echo -n wrong | kinit --password-file=STDIN user2 kinit: Password incorrect root@dc0:~# univention-s4search samaccountname=user2 | egrep '^(badPwdCount|userAccountControl|lockoutTime): ' userAccountControl: 512 lockoutTime: 0 badPwdCount: 4 root@dc0:~# echo -n wrong | kinit --password-file=STDIN user2 kinit: krb5_get_init_creds: No PKINIT PA found root@dc0:~# univention-s4search samaccountname=user2 | egrep '^(badPwdCount|userAccountControl|lockoutTime): ' userAccountControl: 512 badPwdCount: 5 lockoutTime: 132601065227525280 ## 2.3 Check SMB Logon root@dc0:~# kdestroy root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser2%univention -c showconnect session setup failed: NT_STATUS_ACCOUNT_LOCKED_OUT ## Bug 52902: LDAP simple bind is still possible: root@dc0:~# ldapsearch -LLL -D uid=user2,cn=users,dc=samltest,dc=intranet -w univention uid=user2 1.1 dn: uid=user2,cn=users,dc=samltest,dc=intranet # Bug 52892: PAM authentication is still possible: root@dc0:~# pam_tally --user user2 User user2 (2015) has 0 ## But the account is shown es locked in UDM: root@dc0:~# udm users/user list --filter username=user1 | egrep "^ +locked:" locked: 1 ### Test 3) Trigger via pam_tally: ## 3.1 Check account is ok: root@dc0:~# ldapsearch -LLL -D uid=user3,cn=users,dc=samltest,dc=intranet -w univention uid=user3 1.1 dn: uid=user3,cn=users,dc=samltest,dc=intranet root@dc0:~# pam_tally --user user3 User user3 (2016) has 0 root@dc0:~# univention-ldapsearch -LLL uid=user3 \ userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64 dn: uid=user3,cn=users,dc=samltest,dc=intranet sambaBadPasswordCount: 0 userPassword: {crypt}$6$... krb5KDCFlags: 126 sambaAcctFlags: [U ] sambaBadPasswordTime: 0 ## 3.2 Trigger lockout via pam_tally root@dc0:~# su - user1 user1@dc0:~$ su - user3 Passwort: <wrong1> su: Fehler bei Authentifizierung # Check Samba/AD counter too, because pam_krb5 is called in pam stack too: root@dc0:~# univention-s4search samaccountname=user3 badPwdCount | grep '^badPwdCount: ' badPwdCount: 2 user1@dc0:~$ su - user3 Passwort: <wrong2> su: Fehler bei Authentifizierung # Check Samba/AD counter too, because pam_krb5 is called in pam stack too: root@dc0:~# univention-s4search samaccountname=user3 badPwdCount | grep '^badPwdCount: ' badPwdCount: 4 user1@dc0:~$ su - user3 Passwort: <wrong3> su: Fehler bei Authentifizierung # Check Samba/AD counter too, because pam_krb5 is called in pam stack too: root@dc0:~# univention-s4search samaccountname=user3 badPwdCount | grep '^badPwdCount: ' badPwdCount: 5 # Samba/AD account is locked, albeit a bit too early: Looks similar to Bug #40328 root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser3%univention -c showconnect session setup failed: NT_STATUS_ACCOUNT_LOCKED_OUT root@dc0:~# echo -n univention | kinit --password-file=STDIN user3 kinit: krb5_get_init_creds: No PKINIT PA found # go on with PAM logons: user1@dc0:~$ su - user3 Passwort: <wrong4> su: Fehler bei Authentifizierung user1@dc0:~$ su - user3 Passwort: <wrong5> su: Fehler bei Authentifizierung user1@dc0:~$ su - user3 Das Konto ist wegen 6 fehlgeschlagener Anmelde-Versuche gesperrt # Account is locked root@dc0:~# pam_tally --user user3 User user3 (2016) has 6 ## 3.3 Check udm state, Kerberos & SMB Logon root@dc0:~# udm users/user list --filter username=user3 | egrep "^ +locked:" locked: 1 root@dc0:~# univention-ldapsearch -LLL uid=user3 \ userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64 dn: uid=user3,cn=users,dc=samltest,dc=intranet sambaBadPasswordCount: 0 userPassword: {crypt}$6$vo0uCFCrdkEIPu7M$8MlZnFFcXnCd637TZ4h5GufiYYraOjW7zweHxEMkTN.VmifwAWSwEQf1sWpRKC9DLOLNcTixOMldjNxJ94oUZ1 krb5KDCFlags: 126 sambaAcctFlags: [UL ] sambaBadPasswordTime: 132600923570000000 root@dc0:~# univention-s4search samaccountname=user2 badPwdCount | grep '^badPwdCount: ' badPwdCount: 5 ### Test 4) Trigger via ppolicy: ## 4.1 Check account is ok: root@dc0:~# univention-ldapsearch -LLL uid=user4 \ userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64 dn: uid=user4,cn=users,dc=samltest,dc=intranet sambaAcctFlags: [U ] sambaBadPasswordCount: 0 sambaBadPasswordTime: 0 userPassword: {crypt}$6$... krb5KDCFlags: 126 root@dc0:~# pam_tally --user user4 User user4 (2017) has 0 root@dc0:~# univention-s4search samaccountname=user4 badPwdCount userAccountControl | egrep '^(badPwdCount|userAccountControl): ' userAccountControl: 512 badPwdCount: 0 root@dc0:~# echo -n univention | kinit --password-file=STDIN user4 && echo ok ok root@dc0:~# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: user4@SAMLTEST.INTRANET Issued Expires Principal Mar 13 08:21:18 2021 Mar 13 18:21:18 2021 krbtgt/SAMLTEST.INTRANET@SAMLTEST.INTRANET root@dc0:~# kdestroy root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser4%univention -c showconnect //dc0.samltest.intranet/sysvol ## SMB Logon works ## 4.2 Trigger lockout via ppolicy root@dc0:~# ldapsearch -LLL -D uid=user4,cn=users,dc=samltest,dc=intranet -w wrong uid=user4 1.1 ldap_bind: Invalid credentials (49) root@dc0:~# ldapsearch -LLL -D uid=user4,cn=users,dc=samltest,dc=intranet -w wrong uid=user4 1.1 ldap_bind: Invalid credentials (49) root@dc0:~# ldapsearch -LLL -D uid=user4,cn=users,dc=samltest,dc=intranet -w wrong uid=user4 1.1 ldap_bind: Invalid credentials (49) root@dc0:~# ldapsearch -LLL -D uid=user4,cn=users,dc=samltest,dc=intranet -w wrong uid=user4 1.1 ldap_bind: Invalid credentials (49) root@dc0:~# ldapsearch -LLL -D uid=user4,cn=users,dc=samltest,dc=intranet -w wrong uid=user4 1.1 ldap_bind: Invalid credentials (49) # Confirm LDAP lockout root@dc0:~# ldapsearch -LLL -D uid=user4,cn=users,dc=samltest,dc=intranet -w univention uid=user4 1.1 || echo ok ldap_bind: Invalid credentials (49) ok ## 4.3 check LDAP attribute state, UDM state, Samba/AD attributes, local faillog, SMB Logon, Kerberos auth root@dc0:~# univention-ldapsearch -LLL uid=user4 \ userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64 dn: uid=user4,cn=users,dc=samltest,dc=intranet sambaBadPasswordCount: 0 userPassword: {crypt}$6$ogrbpJRQrEhP4aLF$U7SiwkCNR5dLOAov0Sb27DihxdH4WvLRoIg0.8TYLPPniql.TZtYK2R/Rlkup53r7MrOvA97wnxN5hWK1DFU71 krb5KDCFlags: 126 pwdFailureTime: 20210313100640.171897Z pwdFailureTime: 20210313100640.199390Z pwdFailureTime: 20210313100640.216640Z pwdFailureTime: 20210313100640.235599Z pwdFailureTime: 20210313100640.252073Z sambaBadPasswordTime: 132601036000000000 sambaAcctFlags: [UL ] pwdAccountLockedTime: 20210313100640Z root@dc0:~# udm users/user list --filter username=user4 | egrep "^ +locked:" locked: 1 root@dc0:~# univention-s4search samaccountname=user4 | egrep '^(badPwdCount|userAccountControl|lockoutTime): ' userAccountControl: 512 badPwdCount: 0 lockoutTime: 132600937780000000 ## Ok, locked ## Check SMB Logon: root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser4%univention -c showconnect session setup failed: NT_STATUS_ACCOUNT_LOCKED_OUT ## Check Kerberos auth root@dc0:~# echo -n univention | kinit --password-file=STDIN user4 kinit: krb5_get_init_creds: No PKINIT PA found ## Check state of local faillog/pam_tally: root@dc0:~# pam_tally --user user4 User user4 (2017) has 0 ## 4.4 Wait for unlock and check LDAP attribute state, UDM state, Samba/AD attributes, local faillog, SMB Logon, Kerberos auth root@dc0:~# sleep 300 # Check state of LDAP attributes (should still show the locked state): root@dc0:~# univention-ldapsearch -LLL uid=user4 \ userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64 dn: uid=user4,cn=users,dc=samltest,dc=intranet sambaBadPasswordCount: 0 userPassword: {crypt}$6$ogrbpJRQrEhP4aLF$U7SiwkCNR5dLOAov0Sb27DihxdH4WvLRoIg0.8TYLPPniql.TZtYK2R/Rlkup53r7MrOvA97wnxN5hWK1DFU71 krb5KDCFlags: 126 pwdFailureTime: 20210313100640.171897Z pwdFailureTime: 20210313100640.199390Z pwdFailureTime: 20210313100640.216640Z pwdFailureTime: 20210313100640.235599Z pwdFailureTime: 20210313100640.252073Z sambaBadPasswordTime: 132601036000000000 sambaAcctFlags: [UL ] pwdAccountLockedTime: 20210313100640Z # Check UDM account state (should still show the locked state): root@dc0:~# udm users/user list --filter username=user4 | egrep "^ +locked:" locked: 1 # Check state of Samba/AD attributes (should still show the locked state): root@dc0:~# univention-s4search samaccountname=user4 | egrep '^(badPwdCount|userAccountControl|lockoutTime): ' userAccountControl: 512 badPwdCount: 0 lockoutTime: 132601036000000000 # Check SMB Logon works again -> This triggers the unlock in Samba/AD root@dc0:~# smbclient //$(hostname -f)/sysvol -Uuser4%univention -c showconnect && echo ok //dc0.samltest.intranet/sysvol ## SMB Logon works again ok # Check Kerberos auth works again root@dc0:~# echo -n univention | kinit --password-file=STDIN user4 && echo ok ok # Check state of Samba/AD attributes (should show unlocked state now): root@dc0:~# univention-s4search samaccountname=user4 | egrep '^(badPwdCount|userAccountControl|lockoutTime): ' userAccountControl: 512 badPwdCount: 0 lockoutTime: 0 # Check state of LDAP attributes (should show sambaAcctFlags unlocked but still show the ppolicy locked state): root@dc0:~# univention-ldapsearch -LLL uid=user4 \ userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64 dn: uid=user4,cn=users,dc=samltest,dc=intranet sambaBadPasswordCount: 0 userPassword: {crypt}$6$ogrbpJRQrEhP4aLF$U7SiwkCNR5dLOAov0Sb27DihxdH4WvLRoIg0.8TYLPPniql.TZtYK2R/Rlkup53r7MrOvA97wnxN5hWK1DFU71 krb5KDCFlags: 126 pwdFailureTime: 20210313100640.171897Z pwdFailureTime: 20210313100640.199390Z pwdFailureTime: 20210313100640.216640Z pwdFailureTime: 20210313100640.235599Z pwdFailureTime: 20210313100640.252073Z pwdAccountLockedTime: 20210313100640Z sambaAcctFlags: [U ] sambaBadPasswordTime: 0 # Check UDM account state (should show the unlocked state): root@dc0:~# udm users/user list --filter username=user4 | egrep "^ +locked:" locked: 0 # Check LDAP bind (should work now): root@dc0:~# ldapsearch -LLL -D uid=user4,cn=users,dc=samltest,dc=intranet -w univention uid=user4 1.1 || echo ok dn: uid=user4,cn=users,dc=samltest,dc=intranet # Check state of LDAP attributes (should show full unlocked state now): root@dc0:~# univention-ldapsearch -LLL uid=user4 \ userPassword sambaBadPasswordCount krb5KDCFlags sambaAcctFlags sambaBadPasswordTime pwdFailureTime pwdAccountLockedTime | ldapsearch-decode64 dn: uid=user4,cn=users,dc=samltest,dc=intranet sambaBadPasswordCount: 0 userPassword: {crypt}$6$ogrbpJRQrEhP4aLF$U7SiwkCNR5dLOAov0Sb27DihxdH4WvLRoIg0.8TYLPPniql.TZtYK2R/Rlkup53r7MrOvA97wnxN5hWK1DFU71 krb5KDCFlags: 126 sambaAcctFlags: [U ] sambaBadPasswordTime: 0 # Check UDM account state (should show unlocked state): root@dc0:~# udm users/user list --filter username=user4 | egrep "^ +locked:" locked: 0 # Check state of Samba/AD attributes (should show unlocked state): root@dc0:~# univention-s4search samaccountname=user4 | egrep '^(badPwdCount|userAccountControl|lockoutTime): ' userAccountControl: 512 badPwdCount: 0 lockoutTime: 0 root@dc0:~# pam_tally --user user4 User user4 (2017) has 0 ==================================================
Created attachment 10641 [details] check-password-lockout.sh This checks Test 4.
I set the "Waiting Support" flag because of Ticket #2021121421000141.