From: Tim Beale Date: Tue, 13 Nov 2018 00:22:41 +0000 (+1300) Subject: CVE-2018-16857 dsdb/util: Add better default lockOutObservationWindow X-Git-Tag: tdb-1.3.17~589 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fde9f7c81b42419e71b2fc8c31d92db4a05176af;p=thirdparty%2Fsamba.git CVE-2018-16857 dsdb/util: Add better default lockOutObservationWindow Clearly the lockOutObservationWindow value is important, and using a default value of zero doesn't work very well. This patch adds a better default value (the domain default setting of 30 minutes). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 Signed-off-by: Tim Beale Reviewed-by: Andrew Bartlett Autobuild-User(master): Karolin Seeger Autobuild-Date(master): Wed Nov 28 11:31:14 CET 2018 on sn-devel-144 --- diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 50c96f7c781..dd9a5dcadf5 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -56,6 +56,9 @@ */ #include "dsdb/samdb/ldb_modules/util.h" +/* default is 30 minutes: -1e7 * 30 * 60 */ +#define DEFAULT_OBSERVATION_WINDOW -18000000000 + /* search the sam for the specified attributes in a specific domain, filter on objectSid being in domain_sid. @@ -5370,7 +5373,7 @@ int samdb_result_effective_badPwdCount(struct ldb_context *sam_ldb, lockOutObservationWindow = ldb_msg_find_attr_as_int64(res->msgs[0], "msDS-LockoutObservationWindow", - 0); + DEFAULT_OBSERVATION_WINDOW); talloc_free(res); } else { @@ -5409,10 +5412,11 @@ static int64_t get_lockout_observation_window(struct ldb_message *domain_msg, if (pso_msg != NULL) { return ldb_msg_find_attr_as_int64(pso_msg, "msDS-LockoutObservationWindow", - 0); + DEFAULT_OBSERVATION_WINDOW); } else { return ldb_msg_find_attr_as_int64(domain_msg, - "lockOutObservationWindow", 0); + "lockOutObservationWindow", + DEFAULT_OBSERVATION_WINDOW); } }