Re: [Samba] auth audit log question
- Date: Fri, 24 Nov 2017 09:47:29 +1300
- From: Andrew Bartlett via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] auth audit log question
On Thu, 2017-11-23 at 13:54 +0100, mj via samba wrote:
> Since samba 4.7 I have setup auth logging, and while I can relate most
> failed passwords to users mistyping a password, there is one kind that I
> don't understand, happening across our samba-DCs.
> Things work without issues, but I'm just being curious. :-)
> > [2017/11/23 04:47:32.166753, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
> > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017 04:47:32.166711 CET] with [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:188.8.131.52:62827] mapped to [WRKGRP]\[P002556$]. local host [NULL]
> > [2017/11/23 04:47:32.170564, 3] ../auth/auth_log.c:760(log_authentication_event_human_readable)
> > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017 04:47:32.170557 CET] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:184.108.40.206:62828] became [WRKGRP]\[P002556$] [S-1-5-21-90834550-981288634-869225949-132733]. local host [NULL]
> First NT_STATUS_WRONG_PASSWORD, immediately followed by NT_STATUS_OK for
> the same workstation.
> We can domain-logon onto the workstation, I can open AD shares including
> \\samba-dc2, \\member_server, etc. All without problem. So the domain
> password / join appears to be correct.
> P002556$@SAMBA.COMPANY.COM is running windows server 2008 Enterprise, SP2.
> Could anyone think of other reasons why the above error could come up on
> the DC logs?
It might be speculative pre-authentication with the wrong salt, and
then coming back with the password using the right salt.
A network trace might show more.
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
To unsubscribe from this list go to the following URL and read the