The bug report discusses a critical security vulnerability in Samba versions prior to 4.2.0, specifically in the context of Active Directory (AD) Domain Controllers (DC). It highlights the issue that these versions of Samba do not lock out users after a defined number of incorrect password attempts, a basic security measure to prevent brute- force attacks.
The problem is particularly dangerous because without this lockout mechanism, attackers can continuously attempt to guess passwords, including the Administrator account password, leading to potential full access to the DC and other network resources. The lack of this feature in Samba 4.1 versions exposes servers to severe security risks. The report requests a fix to be added, referencing Samba's implementation of the bad password lockout feature starting from version 4.2.0. The issue is demonstrated through a test case where a user can repeatedly fail to log in without the account being locked. The bug is categorized as a high-impact security vulnerability. Additionally, it suggests upgrading to Samba 4.2.1, as it addresses the lockout issue and includes other security improvements like the "winbind secure connection. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1442039 Title: bad password lockout not available To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba4/+bug/1442039/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs