samba - Aug 1998 - samba error message - "broken (and insecure) behavior"

I've seen error messages about this since we installed 1.9.18p10 of samba,
so I went looking in the code for the context.

Here (from password.c) is the context:

        /*
         * Attempt a session setup with a totally incorrect password.
         * If this succeeds with the guest bit *NOT* set then the password
         * server is broken and is not correctly setting the guest bit. We
         * need to detect this as some versions of NT4.x are broken. JRA.
         */

        if (cli_session_setup(&cli, user, (char *)badpass, sizeof(badpass),
                              (char *)badpass, sizeof(badpass), domain)) {
          if ((SVAL(cli.inbuf,smb_vwv2) & 1) == 0) {
            DEBUG(0,("server_validate: password server %s allows users as
non-guest \
with a bad password.\n", cli.desthost));
            DEBUG(0,("server_validate: This is broken (and insecure)
behaviour. Please do not \
use this machine as the password server.\n"));
            cli_ulogoff(&cli);
            return False;
          }
          cli_ulogoff(&cli);
        }

WHAT versions of NT4 have this problem?  Obviously, we have one!

Jim
--
Jim Watt                                 jimw@PE-Nelson.COM
Perkin-Elmer Corporation                 Voice (desk): +1 408 577 2228
PE-Nelson Division                       Fax:          +1 408 894 9307
3833 North First Street                  Voice (main): +1 408 577 2200
San Jose CA 95134-1701

Well this explains a problem we have been seeing for some time now.  We
have it configured so that 5 bad password attempts within 15 minutes
causes the account to become locked out.  Unfortunately we have lab
accounts that are used by more than person at a time at the same time. 
This results in the lab accounts becoming locked out because a known bad
password is always sent first.

Can this be changed?  Is there a way to test the password server only
once and not for each and every login attempt?  I think this is a useful
feature but checking the same password server over and over again seems
a little bit much.  Perhaps a separate utility to check your password
server is needed.  Or perhaps this code should only be run once at
initial start up?

	Christopher Kranz
	clk@cs.princeton.edu
--
Jim Watt wrote:
> 
> I've seen error messages about this since we installed 1.9.18p10 of
samba,
> so I went looking in the code for the context.
> 
> Here (from password.c) is the context:
> 
>         /*
>          * Attempt a session setup with a totally incorrect password.
>          * If this succeeds with the guest bit *NOT* set then the password
>          * server is broken and is not correctly setting the guest bit. We
>          * need to detect this as some versions of NT4.x are broken. JRA.
>          */
> 
>         if (cli_session_setup(&cli, user, (char *)badpass,
sizeof(badpass),
>                               (char *)badpass, sizeof(badpass), domain)) {
>           if ((SVAL(cli.inbuf,smb_vwv2) & 1) == 0) {
>             DEBUG(0,("server_validate: password server %s allows users
as non-guest \
> with a bad password.\n", cli.desthost));
>             DEBUG(0,("server_validate: This is broken (and insecure)
behaviour. Please do not \
> use this machine as the password server.\n"));
>             cli_ulogoff(&cli);
>             return False;
>           }
>           cli_ulogoff(&cli);
>         }
> 
> WHAT versions of NT4 have this problem?  Obviously, we have one!
> 
> Jim