Web lists-archives.com

Re: [Samba] Account lockouts caused by SAMBA + WinBind do not report "Caller Computer Name" in security audit




On Mon, 2018-04-09 at 17:49 +0000, Eric Wheeler via samba wrote:
> Hello all,
> 
> We are troubleshooting an issue that when SAMBA is joined to a Windows 
> domain controller as a member server that has password failure lockouts 
> configured, the Windows security auditing does not show the "Caller 
> Computer Name" in the event ID generated (4740).
> 
> We are using Samba 4.6.2 from CentOS 7. We posted a Bugzilla at Red Hat 
> here: https://bugzilla.redhat.com/show_bug.cgi?id=1563425
> 
> The Bugzilla request contains images showing the security audit issue.
> 
> Does anyone know what might cause this?

You clarified on the bug that this is when using Kerberos.  The name
used is either from the FAST wrapper (not supported by Samba) or most
likely the netbios host name given as an additional, un-authenticated
'client address'.  

Sadly using FAST hasn't yet been implemented in winbindd but the code
looks like it sends the netbios name.  

A network trace comparing your two cases (presuming you have seen
windows fill this in for Kerberos) would show the difference and
suggest what would need to be implemented.

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba