Web lists-archives.com

[Samba] Workstation authentication and authorization failed event




Hello,

    I've recently enabled authentication logging and it's been working well. Today I see a failure for a workstation.

Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[pc-45@DOMAIN.LOCAL] at [Tue, 06 Mar 2018 11:42:15.767915 EST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:172.16.25.47:61738] mapped to [DOMAIN]\[PC-45]. local host [NULL]

In the past this was due to replication failure on a DC. However I'm not sure how to interpret this log. I would expect to see something like PC-45$@DOMAIN.LOCAL. Without the dollar sign it looks as if someone attempted to sign in locally with the username 'PC-45'. I'm in the early stages of investigation but am I correct in this thought process? Thanks.

--
--
James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba