It was found that the 'bad password observation window' was ineffective when set to a value greater than 3 minutes. This could allow for brute force password attacks in some situations.
A vulnerability was found in the AD DC Configurations of Samba 4.9.0 and later. Watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 15 minutes instead doesn't watch for bad passwords at all.
Bad password lockout is not configured by default, it is only
effective if a threshold has been set with (eg):
samba-tool domain passwordsettings set --account-lockout-threshold=3
To mitigate the issue set a shorter 'Reset account lockout after'
window (the ineffective default is 30, anything less than 15 will
samba-tool domain passwordsettings set --reset-account-lockout-after=15
NOTE: If a fine-grained password policy (PSO) is set, this must also
be done on each PSO.
Name: the Samba project
Upstream: Isaac Boukris
Created samba tracking bugs for this issue:
Affects: fedora-all [bug 1654095]
This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux because there is no support for samba as Active Directory Domain Controller.