Bug 52913 - Password lockout in Samba/AD doesn't set locked bit in krb5KDCFlags in OpenLDAP
Summary: Password lockout in Samba/AD doesn't set locked bit in krb5KDCFlags in OpenLDAP
Status: NEW
Alias: None
Product: UCS
Classification: Unclassified
Component: S4 Connector
Version: UCS 5.0
Hardware: Other Linux
: P5 normal
Target Milestone: ---
Assignee: Samba maintainers
QA Contact: Samba maintainers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-15 13:10 CET by Arvid Requate
Modified: 2021-05-07 10:38 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.069
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2021030921000766
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2021-03-15 13:10:06 CET 
Password lockout in Samba/AD is currently synchonized to OpenLDAP as "L" flag in sambaAccountFlags but the locked bit (17) is not set in krb5KDCFlags.

I guess this is a problem in Domains that have Samba/AD on a Primary Domain Controller but not on a Slave. Our Heimdal patch 0098-s4-badPwdCount-02-part1.quilt only checks that flag. In that case, authentication via Kerberos would probably not be locked on the DC Slave that runs a Heimdal KDC with OpenLDAP backend.