Web lists-archives.com

Re: [Samba] auth audit log question




For the archives:

On 23-11-2017 13:54, mj via samba wrote:
[2017/11/23 04:47:32.166753,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017 04:47:32.166711 CET] with [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:1.2.3.30:62827] mapped to [WRKGRP]\[P002556$]. local host [NULL] [2017/11/23 04:47:32.170564,  3] ../auth/auth_log.c:760(log_authentication_event_human_readable)   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017 04:47:32.170557 CET] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:1.2.3.30:62828] became [WRKGRP]\[P002556$] [S-1-5-21-90834550-981288634-869225949-132733]. local host [NULL]

First NT_STATUS_WRONG_PASSWORD, immediately followed by NT_STATUS_OK for the same workstation.

The messages disappeared after the windows 2008 domain member was rebooted.

Some windows glitch I guess. :-)

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba