== Subject:     Bad password count in AD DC not always effective
== CVE ID#:     CVE-2018-16857
== Versions:    Samba 4.9.0 and later 
== Summary:     AD DC Configurations watching for bad passwords
                (to restrict brute forcing of passwords)
                in a window of more than 3 minutes may
                not watch for bad passwords at all.


By default, Samba will remember bad passwords for 30min:

$ samba-tool domain passwordsettings show
Reset account lockout after (mins): 30

This is also known as the 'bad password observation window' and is
configured in the lockOutObservationWindow attribute on the domain DN
or in a fine-grained password policy (also known as a Password
Settings Object - PSO).

If this value is set to more than 3 minutes, bad password lockout
may be ineffective. 

If the setting were 8-10 minutes or 15-16 minutes, Samba would still
offer some bad password lockout protection, but would use a smaller
observation window than configured (somewhere between 41 and 170 seconds,
depending on the actual configured setting).

For all other configured observation windows over 3 minutes (including
the default), bad password counting will not work. This will mean the
badPwdCount attribute (which stores repeated bad password attempts)
will never exceed 1. The 'account lockout threshold' will therefore
not be hit, and the user would never get locked out. 

The primary risk from this issue is with regards to domains that have
been upgraded from Samba 4.8 and earlier.  In these cases the manual
testing done to confirm an organisation's password policies apply as
expected may not have been re-done after the upgrade.

CVSSv3 calculation

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N (5.9)

Patch Availability

Patches addressing both these issues have been posted to:

Additionally, Samba 4.9.3 has been issued as security releases to
correct the defect.  Samba administrators are advised to upgrade to
these releases or apply the patch as soon as possible.

Workaround and mitigation

Bad password lockout is not configured by default, it is only
effective if a threshold has been set with (eg):

samba-tool domain passwordsettings set --account-lockout-threshold=3

To mitigate the issue set a shorter 'Reset account lockout after'
window (the ineffective default is 30, anything less than 3 will

samba-tool domain passwordsettings set --reset-account-lockout-after=3

Note that this setting controls how long Samba remembers bad
password attempts for, rather than how long the account is locked
(which is controlled by --account-lockout-duration).

NOTE: If a fine-grained password policy (PSO) is set, this must also
be done on each PSO.


Originally reported by Isaac Boukris

Patches provided by Tim Beale of Catalyst and the Samba team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team