On Tue, 2017-09-26 at 12:39 -0400, lingpanda101 via samba
wrote:> Hello,
>
> I recently upgrade Samba to 4.7.0 and enabled the
> Authentication
> and Authorization audit support. One of the first events I see is
> from a
> disabled user account.
>
> [2017/09/26 12:24:17.894767, 3, pid=1257, effective(0, 0), real(0,
> 0)]
> ../auth/auth_log.c:760(log_authentication_event_human_readable)
> Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> [(null)]\[bdiley at DOMAIN.LOCAL] at [Tue, 26 Sep 2017 12:24:17.894746
> EDT]
> with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation
> [(null)] remote host [ipv4:172.16.24.20:52728] became
> [DOMAIN]\[bdiley]
> [S-1-5-21-940051827-2291820289-3341758437-1188]. local host [NULL]
>
> First what does "Pre-authentication" refer to and second why
don't I
> see
> a failed log event for this user? I disabled the account via.
> Microsoft
> RSAT. Thanks.
Sorry for the delay in replying.
The issue is that Heimdal, acting as Samba's KDC, checks the password
before the disabled account status, and we don't log the later denial.
We are looking to reverse the order of these checks to match what
Windows does, and have written some patches for this that will be
posted shortly.
Sorry,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba