ASA-2018-00061 – Samba: Bad password count in AD DC not always effective

Allele Security Alert



ASA-2018-00061, CVE-2018-16857


Bad password count in AD DC not always effective


The Samba Project



Affected version(s)

Samba 4.9.0 and later

Fixed version(s)

Samba 4.9.3

Proof of concept



By default, Samba will remember bad passwords for 30min:

$ samba-tool domain passwordsettings show

Reset account lockout after (mins): 30

This is also known as the ‘bad password observation window’ and is configured in the lockOutObservationWindow attribute on the domain DN or in a fine-grained password policy (also known as a Password Settings Object – PSO).

If this value is set to more than 3 minutes, bad password lockout may be ineffective.

If the setting were 8-10 minutes or 15-16 minutes, Samba would still offer some bad password lockout protection, but would use a smaller observation window than configured (somewhere between 41 and 170 seconds, depending on the actual configured setting).

For all other configured observation windows over 3 minutes (including the default), bad password counting will not work. This will mean the badPwdCount attribute (which stores repeated bad password attempts) will never exceed 1. The ‘account lockout threshold’ will therefore not be hit, and the user would never get locked out.

Technical details



Isaac Boukris


Bad password count in AD DC not always effective

Bug 13683 – (CVE-2018-16857) [SECURITY] CVE-2018-16857 Bad password count not effective for default (30min) window

[Announce] Samba 4.9.3, 4.8.7 and 4.7.12 Security Releases Available

CVE-2018-16857 tests: Sanity-check password lockout works with default values

CVE-2018-16857 dsdb/util: Correctly treat lockOutObservationWindow as 64-bit int

CVE-2018-16857 dsdb/util: Fix lockOutObservationWindow for PSOs

CVE-2018-16857 dsdb/util: Add better default lockOutObservationWindow



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 6, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.