ASA-2018-00061 – Samba: Bad password count in AD DC not always effective

By default, Samba will remember bad passwords for 30min: eg: $ samba-tool domain passwordsettings show ... Reset account lockout after (mins): 30 This is also known as the 'bad password observation window' and is configured in the lockOutObservationWindow attribute on the domain DN or in a fine-grained password policy (also known as a Password Settings Object - PSO). If this value is set to more than 3 minutes, bad password lockout may be ineffective. If the setting were 8-10 minutes or 15-16 minutes, Samba would still offer some bad password lockout protection, but would use a smaller observation window than configured (somewhere between 41 and 170 seconds, depending on the actual configured setting). For all other configured observation windows over 3 minutes (including the default), bad password counting will not work. This will mean the badPwdCount attribute (which stores repeated bad password attempts) will never exceed 1. The 'account lockout threshold' will therefore not be hit, and the user would never get locked out.