Web lists-archives.com

Re: [Samba] Why am I getting login failures for domain members?




On Wed, 6 Jun 2018 15:39:22 -0400 lingpanda101 <lingpanda101@xxxxxxxxx> wrote:
>
> On 6/6/2018 1:48 PM, Mark Foley via samba wrote:
> > No ideas on this? Anybody?
> >
> > --Mark
> >
> > -----Original Message-----
> > Date: Tue, 29 May 2018 09:27:36 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: samba@xxxxxxxxxxxxxxx
> > Subject: [Samba] Why am I getting login failures for domain members?
> >
> > Every so often I get a message in /var/log/samba/log.samba as follows:
> >
> > 2018/05/26 13:44:25.172415, 2] authentication for user [HPRS/LABRAT$] FAILED with error NT_STATUS_WRONG_PASSWORD
> >
> > Normally, I get this when a user types in the wrong password.  However, in this case LABRAT$ is
> > not a user but rather a Linux domain member computer.  This happens periodically on every Linux
> > domain member on the domain.
> >
> > Why? Is it a problem? Is there something I can do to fix this?
> >
> > --Mark
> >
> Mark,
>
>      I  don't have any Linux members but it isn't uncommon to see this 
> log for windows devices. A case where I would expect to see this if the 
> machine was off for 30+ days and then turned on. If memory serves me 
> this is negotiated every 30 days via the default domain policy.
>
> Anything in the syslog files of your member computers? I would look 
> around the time stamp of the authentication request. Is it when it's 
> powered on?
>
> -James
>

James - thanks for your reply. Actually, most of the office workstations are Windows 7 and I've
never seen this message from a Windows 7 domain member. All the Linux domain members do
generate this message.

None of the workstations are ever turned off. This message occurs much more frequently than 30
days, from 6 to 9 times a month, sometimes twice in the same day.

I checked the syslog as you suggested and there is an interesting correlation. At the same time
the Samba AD/DC logs the message shown in my post, I get the following in syslog:

Jun  4 18:47:02 ccarter winbindd[1359]: [2018/06/04 18:47:02.059311,  0] ../source3/libads/kerberos_util.c:74(ads_kinit_password) 
Jun  4 18:47:02 ccarter winbindd[1359]:   kerberos_kinit_password CCARTER$@HPRS.LOCAL failed: Preauthentication failed 

Interestingly, ahead of these two message are the following:

Jun  4 18:43:08 ccarter winbindd[1359]: [2018/06/04 18:43:08.051810,  0] ../source3/libsmb/trusts_util.c:272(trust_pw_change) 
Jun  4 18:43:08 ccarter winbindd[1359]:   2018/06/04 18:43:08 : trust_pw_change(HPRS): Verified old password remotely using netlogon_creds_cli:CLI[CCARTER/CCARTER$]/SRV[MAIL/HPRS] 
Jun  4 18:43:08 ccarter winbindd[1359]: [2018/06/04 18:43:08.064049,  0] ../source3/libsmb/trusts_util.c:314(trust_pw_change) 
Jun  4 18:43:08 ccarter winbindd[1359]:   2018/06/04 18:43:08 : trust_pw_change(HPRS): Changed password locally 
Jun  4 18:43:08 ccarter winbindd[1359]: [2018/06/04 18:43:08.910921,  0] ../source3/libsmb/trusts_util.c:330(trust_pw_change) 
Jun  4 18:43:08 ccarter winbindd[1359]:   2018/06/04 18:43:08 : trust_pw_change(HPRS): Changed password remotely using netlogon_creds_cli:CLI[CCARTER/CCARTER$]/SRV[MAIL/HPRS] 
Jun  4 18:43:08 ccarter winbindd[1359]: [2018/06/04 18:43:08.912720,  0] ../source3/libsmb/trusts_util.c:363(trust_pw_change) 
Jun  4 18:43:08 ccarter winbindd[1359]:   2018/06/04 18:43:08 : trust_pw_change(HPRS): Verified new password remotely using netlogon_creds_cli:CLI[CCARTER/CCARTER$]/SRV[MAIL/HPRS] 

So, something related to winbindd is requesting some sort of password change which, as far as I
can tell from the above, succeeds. But the subsequent "Preauthentication" fails. After that,
numerous message as follows occur at about 5 minute intervals, forever:

Jun  4 18:51:21 ccarter nmbd[1310]: [2018/06/04 18:51:21.891422,  0] ../source3/nmbd/nmbd_namequery.c:109(query_name_response) 
Jun  4 18:51:21 ccarter nmbd[1310]:   query_name_response: Multiple (2) responses received for a query on subnet 192.168.0.60 for name HPRS<1d>. 

Perhaps this is all normal and as expected. Still, why is windbindd requesting a password for
the computer itself (CCARTER$)? What is this password? I've certainly never set a computer
password (that I know of) and it is certainly not the login user's password.

If this is all "normal", fine, I won't worry about it. But, I'm curious as to what this is
about if you or anyone knows, or could direct me to more detail on the web.

THX --Mark

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba