Web lists-archives.com

Re: [Samba] NT_STATUS_ACCOUNT_LOCKED_OUT




On Sat, 19 Jan 2019 19:03:58 +0000 Rowland Penny wrote:
>
> On Sat, 19 Jan 2019 13:37:18 -0500
> Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > I sure could use some help on this.  Perhaps this problem is due to a
> > recent Windows update?
> > 
> > I have determined that whenever I log into the Windows 7 host
> > DBSERVER from any other Windows 7 computer, whether it be a local
> > domain workstation or an external computer, and regarless of whether
> > the client workstation is logged in as 'mark' or any other user, I
> > have the lockout problem.
> > 
> > As soon as I log into Windows 7 host dbserver as the domain
> > administrator I immediately see series 10 to 15 of the following
> > log.samba messages:
> > 
> >   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > [(null)]\[mark@HPRS] at [Sat, 19 Jan 2019 12:18:27.881822 EST] with
> > [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation
> > [(null)] remote host [ipv4:192.168.0.4:53914] mapped to
> > [HPRS]\[mark]. local host [NULL] 
> > 
> > Then, if I try to log into ANY domain member as user 'mark' I cannot
> > and the log.samba has:
> > 
> >   auth_check_password_recv: sam authentication for user [HPRS\mark]
> > FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT, authoritative=1 Auth:
> > [SamLogon,network] user [HPRS]\[mark] at [Sat, 19 Jan 2019
> > 12:28:06.590937 EST] with [NTLMv2] status
> > [NT_STATUS_ACCOUNT_LOCKED_OUT] workstation [WIN7VM] remote host
> > [ipv4:192.168.0.4:54336] mapped to [HPRS]\[mark]. local host
> > [ipv4:192.168.0.2:49153]  NETLOGON computer [DBSERVER] trust account
> > [DBSERVER$]
> > 
> > The administrator user does not map any drives or otherwise seem to
> > run anything as user 'mark'.
> > 
> > I cannot figure out why something is trying to login/connect as user
> > 'mark' with an invalid password even when logging in as the
> > administrator, not 'mark'. 
> > 
> > Furthermore, when I do actually log into this computer as 'mark' and
> > enter the correct PW, it works fine, no Auth errors. 
> > 
> > Could someone point me in the right direction for research? 
> > 
> > --Mark
> > 
>
> If this is only happening with one PC, then you need to check that PC.
> It looks like something is trying to do something it probably
> shouldn't, I take it you have a run a deep virus scan ?
>
> Rowland

Yes, this is the only machine it's happening on. I've tried logging into other domain member
workstations as the domain admin, and no such errors/lockout occur.

> It looks like something is trying to do something it probably shouldn't,

Any idea what it could be? This computer has been a Samba4 domain member for about 4 years.  It
is a server, no email, no network attached drives, no normal users log in except for me as the
administrator to occasionally run ADUC and also to occasionalyy run/configure Acronis backup
(which I've now deleted from the system in case that was the problem -- it wasn't); and I log
in as 'mark' to run SQL Server Management Studio.  As mentioned, when I actually log in as
'mark' I have lockout consequences. 

I've sent another response on this to Andrew Bartlett with kerberos logging info.

I have run, and am running now, a virus scan. So far nothing bad found.

--Mark

(Rowland sorry about the partial message sent to your personal account. The send button got
away from me)

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba