Bug 52913 – Password lockout in Samba/AD doesn't set locked bit in krb5KDCFlags in OpenLDAP

Bug 52913 - Password lockout in Samba/AD doesn't set locked bit in krb5KDCFlags in OpenLDAP


Summary:	Password lockout in Samba/AD doesn't set locked bit in krb5KDCFlags in OpenLDAP

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:	Samba maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-03-15 13:10 CET by Arvid Requate
Modified:	2021-05-07 10:38 CEST (History)
CC List:	3 users (show)

See Also:	52902
What kind of report is it?:	Development Internal
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	4: A User would return the product
User Pain:	0.069
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2021030921000766
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2021-03-15 13:10:06 CET

Password lockout in Samba/AD is currently synchonized to OpenLDAP as "L" flag in sambaAccountFlags but the locked bit (17) is not set in krb5KDCFlags.

I guess this is a problem in Domains that have Samba/AD on a Primary Domain Controller but not on a Slave. Our Heimdal patch 0098-s4-badPwdCount-02-part1.quilt only checks that flag. In that case, authentication via Kerberos would probably not be locked on the DC Slave that runs a Heimdal KDC with OpenLDAP backend.