Web lists-archives.com

[Samba] Windows user domain accounts getting locked out regularly




Hi All,

We have a mixed environment running with Windows and Linux with samba as the domain controller.  Smart card login is configured and working properly with pkinit and certs, etc (https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login) though I don't think this is related.

A handful of Windows clients are regularly getting their accounts locked during what seems to be a kerberos ticket renewal. The lockout setting is currently at 25 attempts.  In the logs (debug level cranked up to 5) I see 25 successive wrong password attempts in the course of a few seconds culminating in a lock out:

[2018/02/12 15:32:52.383900,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[exampleuser@MICROWAY] at [Mon, 12 Feb 2018 15:32:52.383881 EST] with [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.200.17:50205] mapped to [MICROWAY]\[exampleuser]. local host [NULL] [2018/02/12 15:32:52.383948,  0] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to decrypt PA-DATA -- exampleuser@MICROWAY
[2018/02/12 15:32:52.384618,  3] ../source4/smbd/service_stream.c:65(stream_terminate_connection)   Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2018/02/12 15:32:52.384687,  3] ../source4/smbd/process_single.c:114(single_terminate)   single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] [2018/02/12 15:32:52.419400,  0] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: AS-REQ exampleuser@MICROWAY from ipv4:192.168.200.17:50207 for krbtgt/MICROWAY@MICROWAY [2018/02/12 15:32:52.422687,  0] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2018/02/12 15:32:52.422765,  5] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- exampleuser@MICROWAY
[2018/02/12 15:32:52.422799,  5] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- exampleuser@MICROWAY
[2018/02/12 15:32:52.422837,  5] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Failed to decrypt PA-DATA -- exampleuser@MICROWAY (enctype arcfour-hmac-md5) error Decrypt integrity check failed [2018/02/12 15:32:52.423074,  5] ../source4/dsdb/common/util.c:5355(dsdb_update_bad_pwd_count)   Updated badPwdCount on CN=exampleuser,CN=Users,DC=microway,DC=local after 24 wrong passwords [2018/02/12 15:32:52.426895,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[exampleuser@MICROWAY] at [Mon, 12 Feb 2018 15:32:52.426870 EST] with [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.200.17:50207] mapped to [MICROWAY]\[exampleuser]. local host [NULL] [2018/02/12 15:32:52.426929,  0] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to decrypt PA-DATA -- exampleuser@MICROWAY
[2018/02/12 15:32:52.427465,  3] ../source4/smbd/service_stream.c:65(stream_terminate_connection)   Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2018/02/12 15:32:52.427522,  3] ../source4/smbd/process_single.c:114(single_terminate)   single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] [2018/02/12 15:32:52.446440,  0] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: AS-REQ exampleuser@MICROWAY from ipv4:192.168.200.17:50209 for krbtgt/MICROWAY@MICROWAY [2018/02/12 15:32:52.449611,  0] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2018/02/12 15:32:52.449678,  5] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- exampleuser@MICROWAY
[2018/02/12 15:32:52.449699,  5] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- exampleuser@MICROWAY
[2018/02/12 15:32:52.449738,  5] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)   Kerberos: Failed to decrypt PA-DATA -- exampleuser@MICROWAY (enctype arcfour-hmac-md5) error Decrypt integrity check failed [2018/02/12 15:32:52.449976,  5] ../source4/dsdb/common/util.c:5352(dsdb_update_bad_pwd_count)   Locked out user CN=exampleuser,CN=Users,DC=microway,DC=local after 25 wrong passwords


This lock out occured at 15:32.   The 3 previous lockouts were at 11:32, 7:32, 00:32.  They seem to occur at a roughly whole number of hours since the last lockout, ranging from about 3 to about 9. This is why I think it's related to kerberos ticket renewal.


I've enabled kerberos LSA debugging on the offending clients but have not seen anything meaningful in them.  I also enabled verbose netlogon debugging on a client and that did not reveal anything either.

I tried doing a "klist purge" on one of the offending clients but the problem returned.

Where should I be looking next to resolve this?

Thanks,
Rick Warner

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba