Web lists-archives.com


On Sat, 19 Jan 2019 19:03:58 +0000 Rowland Penny wrote:
> On Sat, 19 Jan 2019 13:37:18 -0500
> Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > I sure could use some help on this.  Perhaps this problem is due to a
> > recent Windows update?
> > 
> > I have determined that whenever I log into the Windows 7 host
> > DBSERVER from any other Windows 7 computer, whether it be a local
> > domain workstation or an external computer, and regarless of whether
> > the client workstation is logged in as 'mark' or any other user, I
> > have the lockout problem.
> > 
> > As soon as I log into Windows 7 host dbserver as the domain
> > administrator I immediately see series 10 to 15 of the following
> > log.samba messages:
> > 
> >   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > [(null)]\[mark@HPRS] at [Sat, 19 Jan 2019 12:18:27.881822 EST] with
> > [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation
> > [(null)] remote host [ipv4:] mapped to
> > [HPRS]\[mark]. local host [NULL] 
> > 
> > Then, if I try to log into ANY domain member as user 'mark' I cannot
> > and the log.samba has:
> > 
> >   auth_check_password_recv: sam authentication for user [HPRS\mark]
> > FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT, authoritative=1 Auth:
> > [SamLogon,network] user [HPRS]\[mark] at [Sat, 19 Jan 2019
> > 12:28:06.590937 EST] with [NTLMv2] status
> > [NT_STATUS_ACCOUNT_LOCKED_OUT] workstation [WIN7VM] remote host
> > [ipv4:] mapped to [HPRS]\[mark]. local host
> > [ipv4:]  NETLOGON computer [DBSERVER] trust account
> > 
> > The administrator user does not map any drives or otherwise seem to
> > run anything as user 'mark'.
> > 
> > I cannot figure out why something is trying to login/connect as user
> > 'mark' with an invalid password even when logging in as the
> > administrator, not 'mark'. 
> > 
> > Furthermore, when I do actually log into this computer as 'mark' and
> > enter the correct PW, it works fine, no Auth errors. 
> > 
> > Could someone point me in the right direction for research? 
> > 
> > --Mark
> > 
> If this is only happening with one PC, then you need to check that PC.
> It looks like something is trying to do something it probably
> shouldn't, I take it you have a run a deep virus scan ?
> Rowland

Yes, this is the only machine it's happening on. I've tried logging into other domain member
workstations as the domain admin, and no such errors/lockout occur.

> It looks like something is trying to do something it probably shouldn't,

Any idea what it could be? This computer has been a Samba4 domain member for about 4 years.  It
is a server, no email, no network attached drives, no normal users log in except for me as the
administrator to occasionally run ADUC and also to occasionalyy run/configure Acronis backup
(which I've now deleted from the system in case that was the problem -- it wasn't); and I log
in as 'mark' to run SQL Server Management Studio.  As mentioned, when I actually log in as
'mark' I have lockout consequences. 

I've sent another response on this to Andrew Bartlett with kerberos logging info.

I have run, and am running now, a virus scan. So far nothing bad found.


(Rowland sorry about the partial message sent to your personal account. The send button got
away from me)

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba