The bug report discusses a critical security vulnerability in Samba
versions prior to 4.2.0, specifically in the context of Active Directory
(AD) Domain Controllers (DC). It highlights the issue that these
versions of Samba do not lock out users after a defined number of
incorrect password attempts, a basic security measure to prevent brute-
force attacks.

The problem is particularly dangerous because without this lockout
mechanism, attackers can continuously attempt to guess passwords,
including the Administrator account password, leading to potential full
access to the DC and other network resources. The lack of this feature
in Samba 4.1 versions exposes servers to severe security risks.

The report requests a fix to be added, referencing Samba's
implementation of the bad password lockout feature starting from version
4.2.0. The issue is demonstrated through a test case where a user can
repeatedly fail to log in without the account being locked. The bug is
categorized as a high-impact security vulnerability.

Additionally, it suggests upgrading to Samba 4.2.1, as it addresses the
lockout issue and includes other security improvements like the "winbind
secure connection.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1442039

Title:
  bad password lockout not available

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba4/+bug/1442039/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to