Web lists-archives.com

[Samba] auth_audit log event for disabled user


    I recently upgrade Samba to 4.7.0 and enabled the Authentication and Authorization audit support. One of the first events I see is from a disabled user account.

[2017/09/26 12:24:17.894767,  3, pid=1257, effective(0, 0), real(0, 0)] ../auth/auth_log.c:760(log_authentication_event_human_readable)   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[bdiley@DOMAIN.LOCAL] at [Tue, 26 Sep 2017 12:24:17.894746 EDT] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:] became [DOMAIN]\[bdiley] [S-1-5-21-940051827-2291820289-3341758437-1188]. local host [NULL]

First what does "Pre-authentication" refer to and second why don't I see a failed log event for this user? I disabled the account via. Microsoft RSAT. Thanks.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba