Re: [Samba] Intermittent Authentication Errors
- Date: Wed, 19 Sep 2018 10:41:50 -0700
- From: Andrew Bartlett via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Intermittent Authentication Errors
On Tue, 2018-09-18 at 12:19 -0500, Matthew Delfino via samba wrote:
> Hello Samba People,
> We have a Kerio Connect (email) server using Samba 4.8.5 as it’s
> directory service (3 AD DCs). We’ve been using this setup for about 3
> years now.
> Over the last several months, we’ve been trying to find out why Samba
> starts rejecting attempts that the Kerio Connect mail server makes to
> authenticate our users. The errors in Kerio look like this:
> Authentication failed for user joe.schmoe@xxxxxxxxxx. Attempt from IP
> address 192.168.1.48. External authentication service rejected
> authentication due to invalid password or authentication restriction.
> This will repeat about 40 times for 40 different users over the
> course of, say 5 minutes or as long as 20 minutes (in which case, it
> might affect all 130 users). Then, it just stops.
> Now, this could be Kerio’s fault. So, I’m exploring all my options. A
> Kerio Connect server sends a lot of authentication requests per
> minute - like, sometimes 100 to 140. But I was wondering if anyone
> knows of any configuration settings I might be able to tweak on my
> DCs to make them more welcoming of rapid authentication requests?
What I would do is try and work out what the error is on the Samba
side, turning up the logs and using the JSON auditing feature to get
good, machine-parsable data.
Then line up the failing authentications with the logs and try to work
out a pattern. Is the LDAP server falling over due to out of memory
for example, or is the server swapping?
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
To unsubscribe from this list go to the following URL and read the