samba - Dec 2002 - Locking user accounts

Hello all,

At this moment I am running a samba-ldap-pdc.
This works really good. But what worries me is the following thing:
user accounts never get locked. This is a problem cause anyone can guess or 
use bruteforce to enter password. Is there a solution/workaround for this? 
I want the following situation : when a user tries to logon for 4 times I 
want the account to lock out the account. Winnt disables the account for 
several minutes and then the account is locked out.

Does anyone have a idea?

Thanx in advance

Martijn
The Netherlands

On Thursday, December 5, 2002, at 06:59  AM, Martijn van Brummelen 
wrote:
> At this moment I am running a samba-ldap-pdc.
> This works really good. But what worries me is the following thing:
> user accounts never get locked. This is a problem cause anyone can 
> guess or
> use bruteforce to enter password. Is there a solution/workaround for 
> this?
> I want the following situation : when a user tries to logon for 4 
> times I
> want the account to lock out the account. Winnt disables the account 
> for
> several minutes and then the account is locked out.
This subject has come up several times in the past couple of weeks. I 
just went down this road myself actually.

Samba has no built in facility for accomplishing what you need. 
However, if you are familiar with PAM, there is a PAM module 
(pam_tally) that is specifically for locking out an account after a 
specified number of failed logon attempts.  (A successful logon resets 
the count to zero any time before the limit is reached).

If you have configured Samba with 'obey pam restrictions = yes' in the 
smb.conf file, Samba will fail the logon once pam_tally's retry limit 
is reached. However, the kicker is that if you are using encrypted 
passwords with Samba, the password lookup is not done via PAM - just 
the account verification. So a bad logon attempt via Samba does not 
increment the failed logon counter.

The solution to this is in a 2 line patch to the Samba 2.2.7 source 
code, which I posted to the samba-technical mailing list this past 
Monday.  This patch causes Samba to increment the failed logon count 
via pam_tally.so, when you are using PAM, and encrypted passwords for 
Samba.

Here is the patch again, against the Samba 2.2.7 source tree:

diff -r samba-2.2.7.orig/source/smbd/password.c 
samba-2.2.7/source/smbd/password.c
617a618,624
> #if defined(WITH_PAM)
> 		// Jim Morris, 12/03/2002. UGLY HACK TO FORCE PAM_TALLY COUNTER TO
> 		// BE UPDATED WHEN LOGON FAILS USING SMBPASSWD FILE.
> 		if (lp_obey_pam_restrictions() && (ret == FALSE))
> 			smb_pam_passcheck( user, password );
> #endif
>
Basically, the trick is to call the PAM password check with a bad 
password after the encrypted Samba password verification fails.

I have most PAM services setup to use the system-auth service, which is 
where I have configured pam_tally.  Here's my /etc/pam.d/system-auth 
file:

#%PAM-1.0
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so
auth        required      /lib/security/pam_tally.so no_magic_root 
deny=3 reset
account     required      /lib/security/pam_unix.so
account     required      /lib/security/pam_tally.so no_magic_root 
deny=3 reset
password    required      /lib/security/pam_cracklib.so retry=3 typepassword   
sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

Yours may be different if the Unix accounts are authenticated against 
an LDAP server!

Here's /etc/pam.d/samba:

%PAM-1.0
auth       required     pam_nologin.so
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
password   required     pam_smbpass.so use_authtok use_first_pass

I hope this information helps!
  --
Jim Morris (Jim@Morris-World.com)

On Thu, 2002-12-05 at 08:52, Martijn van Brummelen wrote:
> If I apply the patch that you say I will have too use pam. But the whole
idea
> of smb-ldap is not too use pam right?  I think your solution works with pam
> but not with ldap I think. Cause all information is stored in ldap and pam 
> does not get involved. I will wait for more replies for a while, if that
does
> not work. I will try your solution.
This is indeed the case. This solution only works when you are using
PAM. If you are authenticating against an LDAP server, you will need to
somehow cause the account information stored on the LDAP server to
become disabled after a number of failed logon attempts.

Unfortunately, I do not know of any method to do that with an LDAP
server.  From Samba's perspective (for user authentication), the LDAP
server is just another way of storing the same information that we would
store in the smbpasswd file.  Think of it is a database that we use for
looking up the username and password. The database (or directory in this
case) is just a storage mechanism. It has no facilities for locking out
an account. We are looking up data in the directory - we are not logging
into the directory with the given username and password.  Without major
changes to Samba, I believe there is no way to achieve what you want
with just LDAP as the Samba authentication mechanism.

I would like to point out that there is a pam_ldap module available that
allows a Linux system to do user authentication against an LDAP
directory, rather than against a Unix password database.  By doing that,
you could have failed logons still use the pam_tally module to increment
a failed logon attempt counter, while using LDAP for the backend
password storage.  In this case, both the Unix and Samba passwords would
be stored in the LDAP directory I suppose.

Can someone that is using LDAP for Samba authentication comment on this,
especially if you are also using PAM?

Thanks!

-- 
/-----------------------------------------------
| Jim Morris  |  Email: Jim@Morris-World.com
|             |    AIM: JFM2001
\-----------------------------------------------