One of my colleagues at work brought to my attention that they could continuously attempt different passwords on a linux machine connected via AD via winbind. I did a test or too and it appears not to lock the account after numerous attempts. Is there a way to get the behavior like windows where too many invalid passwords puts a temporary lock on the account?
winbindd -V Failed to create /var/log/samba/cores for user 11490 with mode 0700 Unable to setup corepath for winbindd: Permission denied Version 4.10.5 cat /etc/samba/smb.conf [global] log level = 3 winbind:5 winbind cache time = 10 security = ads realm = SUB.DOMAIN workgroup = SUB idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config SUB:backend = ad idmap config SUB:schema_mode = rfc2307 idmap config SUB:range = 8000-9999999 idmap config SUB:unix_nss_info = yes idmap config SUB:unix_primary_group = yes winbind use default domain = yes restrict anonymous = 2 On Tue, Jul 30, 2019 at 8:11 AM Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> > One of my colleagues at work brought to my attention that they could > continuously attempt different passwords on a linux machine connected > via AD via winbind. I did a test or too and it appears not to lock the > account after numerous attempts. Is there a way to get the behavior > like windows where too many invalid passwords puts a temporary lock on > the account?
On 30/07/2019 15:39, Jeff Sadowski via samba wrote:> winbindd -V > Failed to create /var/log/samba/cores for user 11490 with mode 0700 > Unable to setup corepath for winbindd: Permission denied > Version 4.10.5 > > cat /etc/samba/smb.conf > [global] > log level = 3 winbind:5 > winbind cache time = 10 > security = ads > realm = SUB.DOMAIN > workgroup = SUB > idmap config * : backend = tdb > idmap config * : range = 2000-7999 > idmap config SUB:backend = ad > idmap config SUB:schema_mode = rfc2307 > idmap config SUB:range = 8000-9999999 > idmap config SUB:unix_nss_info = yes > idmap config SUB:unix_primary_group = yes > winbind use default domain = yes > restrict anonymous = 2 > > On Tue, Jul 30, 2019 at 8:11 AM Jeff Sadowski <jeff.sadowski at gmail.com> wrote: >> One of my colleagues at work brought to my attention that they could >> continuously attempt different passwords on a linux machine connected >> via AD via winbind. I did a test or too and it appears not to lock the >> account after numerous attempts. Is there a way to get the behavior >> like windows where too many invalid passwords puts a temporary lock on >> the account?It should work, this was implemented back at Samba 4.2.0, what does this show: samba-tool domain passwordsettings show Note: there is a 60 minute grace period with the old password. Rowland
If you require sufficient entropy for passwords, then locking users on failed attempts is actually a bad idea, because it is trivial to lock user?s accounts (a denial of service), whereas it is almost impossible to actually guess the right one. Locking accounts is only a good idea if the secrets are small, like the pin of a credit card. Regards, Joachim -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Jeff Sadowski via samba Gesendet: Tuesday, 30 July 2019 16:12 An: samba <samba at lists.samba.org> Betreff: [Samba] winbind and locking accounts? One of my colleagues at work brought to my attention that they could continuously attempt different passwords on a linux machine connected via AD via winbind. I did a test or too and it appears not to lock the account after numerous attempts. Is there a way to get the behavior like windows where too many invalid passwords puts a temporary lock on the account? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
I would still like to temporarily lock the account after 5 attempts (set in AD) and lock the account for 30 minutes (also set in AD) It makes it harder for someone guessing On Tue, Jul 30, 2019 at 12:03 PM Joachim Lindenberg <samba at lindenberg.one> wrote:> > If you require sufficient entropy for passwords, then locking users on failed attempts is actually a bad idea, because it is trivial to lock user?s accounts (a denial of service), whereas it is almost impossible to actually guess the right one. Locking accounts is only a good idea if the secrets are small, like the pin of a credit card. > Regards, Joachim > > > -----Urspr?ngliche Nachricht----- > Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Jeff Sadowski via samba > Gesendet: Tuesday, 30 July 2019 16:12 > An: samba <samba at lists.samba.org> > Betreff: [Samba] winbind and locking accounts? > > One of my colleagues at work brought to my attention that they could continuously attempt different passwords on a linux machine connected via AD via winbind. I did a test or too and it appears not to lock the account after numerous attempts. Is there a way to get the behavior like windows where too many invalid passwords puts a temporary lock on the account? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >