Web lists-archives.com

Re: [Samba] log.samba: ntlm_password_check: Interactive logon: NT password check failed for user username




On Tue, 2017-07-18 at 14:56 +0200, mj via samba wrote:
> Hi,
> 
> Is there a way with samba 4.6 to find out more details about these kinds 
> of failed passwords:
> 
> > ./log.samba:  auth_check_password_recv: sam_ignoredomain authentication for user [DOMAIN\username] FAILED with error NT_STATUS_WRONG_PASSWORD
> > ./log.samba:  auth_check_password_send: Checking password for unmapped user [DOMAIN]\[username]@[(null)]
> > ./log.samba:  auth_check_password_send: mapped user is: [DOMAIN]\[username]@[(null)]
> > ./log.samba:  ntlm_password_check: Interactive logon: NT password check failed for user username
> 
> We usually had around 5-10 of these per hour, but since a few days we 
> are seeing a big increase of them.
> 
> They worry me, and I can't see where they come from.
> 
> "Interactive logon" means from an actual AD workstation, I guess? (so: 
> it's not an LDAP auth attempt or such?)

I think it certainly could be LDAP.  In 4.6, the code converts a
plaintext auth from LDAP into an 'interactive' auth.

4.7 will give you the detail you need to work out what is really going
on, implement fail2ban etc.  In the meantime, all I can suggest is
turning up the logs and trying to stick it back together, but I realise
that isn't very satisfactory. 

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba