Re: [Samba] log.samba: ntlm_password_check: Interactive logon: NT password check failed for user username
- Date: Wed, 19 Jul 2017 10:13:10 +1200
- From: Andrew Bartlett via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] log.samba: ntlm_password_check: Interactive logon: NT password check failed for user username
On Tue, 2017-07-18 at 14:56 +0200, mj via samba wrote:
> Is there a way with samba 4.6 to find out more details about these kinds
> of failed passwords:
> > ./log.samba: auth_check_password_recv: sam_ignoredomain authentication for user [DOMAIN\username] FAILED with error NT_STATUS_WRONG_PASSWORD
> > ./log.samba: auth_check_password_send: Checking password for unmapped user [DOMAIN]\[username]@[(null)]
> > ./log.samba: auth_check_password_send: mapped user is: [DOMAIN]\[username]@[(null)]
> > ./log.samba: ntlm_password_check: Interactive logon: NT password check failed for user username
> We usually had around 5-10 of these per hour, but since a few days we
> are seeing a big increase of them.
> They worry me, and I can't see where they come from.
> "Interactive logon" means from an actual AD workstation, I guess? (so:
> it's not an LDAP auth attempt or such?)
I think it certainly could be LDAP. In 4.6, the code converts a
plaintext auth from LDAP into an 'interactive' auth.
4.7 will give you the detail you need to work out what is really going
on, implement fail2ban etc. In the meantime, all I can suggest is
turning up the logs and trying to stick it back together, but I realise
that isn't very satisfactory.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
To unsubscribe from this list go to the following URL and read the