On Mon, 2021-10-25 at 11:07 +0200, cn--- via samba
wrote:> Am 25.10.21 um 11:04 schrieb Rowland Penny via samba:
> > On Mon, 2021-10-25 at 10:40 +0200, cn--- via samba wrote:
> > > I have set "auth_audit"
> > >
> > > log level = 1 auth_audit:3@/var/log/samba/print.log
> > >
> > > And I have tons of these:
> > >
> > >
> > > [2021/10/25 10:38:44.484840, 3]
> > > ../../auth/auth_log.c:653(log_authentication_event_human_readable
> > > )
> > > Auth: [DCE/RPC,(null)] user [DOMAIN-02]\[user] at [Mon, 25
> > > Oct
> > > 2021
> > > 10:38:44.484815 CEST] with [NTLMv2] status [NT_STATUS_OK]
> > > workstation
> > > [BR-HOST] remote host [ipv4:X.X.X.X:59409] became [DOMAIN-
> > > 02]\[user]
> > > [S-1-5-21-xxx-xxx-xxx-xxx]. local host [ipv4:X.X.X.X:445]
> > >
> > >
> >
> > Try changing the 3 in 'auth_audit' to 2, what you are
receiving in
> > the
> > logs is just Samba telling you that authentication was successful.
>
> Yes I know. But it is NTLM Auth not Kerberos as before the Updates
> and
> there so many many more then before the update. This is what made me
> suspicious.
>
Then you need to find out why Windows is not using kerberos any more.
My guess would be dns related, it is using the ipaddress instead of
hostnames and kerberos doesn't work over ipaddresses.
Rowland