Hi,
I have just upgraded our Samba 4.1 AD servers to 4.2.2. Our AD was
previously run on win2k3 and had configuration for account lockout after
3 bad passwords. This lockout obviously did not work after migration to 4.1
After the upgrade to 4.2.2 the lockout started working again, almost as
expected.
The current settings are
Password complexity: on
Store plaintext passwords: off
Password history length: 20
Minimum password length: 8
Minimum password age (days): 1
Maximum password age (days): 90
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30
When testing the account lockout, it seemed that it only took 2 bad
passwords to lock the account where it should be 3.
When I traced log.samba while attempting login with a bad password, it
appears that when I press enter after entering a bad password, 2
attempts are made at checking it. The second time I enter a bad
password, the account is locked.
<grep aslate log.samba>
Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65414 for
krbtgt/DOMAIN at DOMAIN
Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN
Kerberos: Looking for ENC-TS pa-data -- aslate at DOMAIN
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- aslate at DOMAIN
Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65415 for
krbtgt/DOMAIN at DOMAIN
Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN
Kerberos: Looking for ENC-TS pa-data -- aslate at DOMAIN
Kerberos: ENC-TS Pre-authentication succeeded -- aslate at DOMAIN using
aes256-cts-hmac-sha1-96
Kerberos: TGS-REQ aslate at DOMAIN.SCLUK.COM from
ipv4:123.123.123.50:65416 for
host/aslate-v.DOMAIN.scluk.com at DOMAIN.SCLUK.COM [canonicalize,
renewable, forwardable]
Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65418 for
krbtgt/DOMAIN at DOMAIN
Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN
Kerberos: Looking for ENC-TS pa-data -- aslate at DOMAIN
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- aslate at DOMAIN
Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65419 for
krbtgt/DOMAIN at DOMAIN
Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN
Kerberos: Looking for ENC-TS pa-data -- aslate at DOMAIN
Kerberos: Failed to decrypt PA-DATA -- aslate at DOMAIN (enctype
aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for
checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
Kerberos: Failed to decrypt PA-DATA -- aslate at DOMAIN
Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65420 for
krbtgt/DOMAIN at DOMAIN
Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN
Kerberos: Looking for ENC-TS pa-data -- aslate at DOMAIN
Kerberos: Failed to decrypt PA-DATA -- aslate at DOMAIN (enctype
aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for
checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
Kerberos: Failed to decrypt PA-DATA -- aslate at DOMAIN
Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65438 for
krbtgt/DOMAIN at DOMAIN
Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN
Kerberos: Looking for ENC-TS pa-data -- aslate at DOMAIN
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- aslate at DOMAIN
Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65439 for
krbtgt/DOMAIN at DOMAIN
Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN
Kerberos: Looking for ENC-TS pa-data -- aslate at DOMAIN
Kerberos: Failed to decrypt PA-DATA -- aslate at DOMAIN (enctype
aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for
checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
Kerberos: Failed to decrypt PA-DATA -- aslate at DOMAIN
Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65440 for
krbtgt/DOMAIN at DOMAIN
Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN
Kerberos: Client (aslate at DOMAIN) is locked out
</grep>
The client machine is running win7 and is fully up to date with patches.
Does anyone have any idea why this is happening? Do we have an odd
windows setting or is samba not handling this correctly?
--
Al Slater
Technical Director
SCL
