samba - Mar 2018 - [SamLogon, network] vs [Kerberos KDC, ENC-TS Pre-authentication]

Hi,

This is just curiosity.

We are monitoring failed logons, and there seem to be three types:

- LDAP,simple bind/TLS
(obious, failed ldap logons)

and these two:
- SamLogon,network
- Kerberos KDC,ENC-TS Pre-authentication

Could someone explain what (the difference between) these two types is?

Google doesn't really seem to help.

MJ

Hi,

No one knows..?

My guess is:
- SamLogon,network is an interactive logon, so a user typing a password 
on a windows domain joined workstation

- Kerberos KDC,ENC-TS Pre-authentication is something like: an already 
logged on user accessing another server within the same AD doain

But is what I guess true...? :-)

MJ

On 03/22/2018 10:34 AM, mj via samba wrote:
> Hi,
> 
> This is just curiosity.
> 
> We are monitoring failed logons, and there seem to be three types:
> 
> - LDAP,simple bind/TLS
> (obious, failed ldap logons)
> 
> and these two:
> - SamLogon,network
> - Kerberos KDC,ENC-TS Pre-authentication
> 
> Could someone explain what (the difference between) these two types is?
> 
> Google doesn't really seem to help.
> 
> MJ
>

On Mon, 2018-03-26 at 09:08 +0200, mj via samba wrote:
> Hi,
> 
> No one knows..?
> 
> My guess is:
> - SamLogon,network is an interactive logon, so a user typing a password 
> on a windows domain joined workstation
No, that would be SamLogon,interactive.

SamLogon,network is NTLM authentication accessing another server in the
domain (in general). 
> - Kerberos KDC,ENC-TS Pre-authentication is something like: an already 
> logged on user accessing another server within the same AD doain
No, that is most likely a user getting their first ticket on logon.  

I'm glad to hear you are making good use of the audit log feature. 

I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba