Paul Raines
2020-Dec-15 21:02 UTC
[Samba] old CIFS mount causes account lockout in AD when password changed
We had a user whose account in AD was locked out due to bad auth limit after changing his password. The AD team would unlock it but it would get immediately locked up again in a few minutes Eventually we got someone who could read the logs to find out the bad auth errors were coming from one of the central storage servers. But no one could track it any further than that. We eventually found the user has made a mount.cifs mount on a Linux box just doing mount.cifs //server/share /mnt/tmp -o user=ADuser,domain=ADdomain that was still mounted. As soon as we unmounted it the bad auth errors to AD went away and the account stayed unlocked in AD Is the cifs module caching the password and re-using it to reconnect if the connection is cut? Is there anyway to prevent that or limit the attempts?
Aurélien Aptel
2020-Dec-16 10:39 UTC
[Samba] old CIFS mount causes account lockout in AD when password changed
Hi Paul, Paul Raines via samba <samba at lists.samba.org> writes:> Is the cifs module caching the password and re-using it to reconnect if > the connection is cut? Is there anyway to prevent that or limit the > attempts?Yes, the linux kernel cifs.ko module does that. If the mount is switched to kerberos auth I guess you could avoid the password issue altogether. There has been recent development to address this problem. I found [1]: b0dd940e582b6 cifs: fail i/o on soft mounts if sessionsetup errors out Which would make the syscalls on the mount points fail with EHOSTDOWN instead of retrying forever. Note that if a program keeps on trying anyway it will result in the same situation. That commit is in the kernel starting at v5.6 (march 2020). If that's too recent you could request your linux vendor to backport it. btw, for cifs.ko related questions there is a linux-cifs mailing list [2]. 1: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b0dd940e582b6 2: http://vger.kernel.org/vger-lists.html#linux-cifs Cheers, -- Aur?lien Aptel / SUSE Labs Samba Team GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 N?rnberg, DE GF: Felix Imend?rffer, Mary Higgins, Sri Rasiah HRB 247165 (AG M?nchen)