Hi, Since samba 4.7 I have setup auth logging, and while I can relate most failed passwords to users mistyping a password, there is one kind that I don't understand, happening across our samba-DCs. Things work without issues, but I'm just being curious. :-)> [2017/11/23 04:47:32.166753, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017 04:47:32.166711 CET] with [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:1.2.3.30:62827] mapped to [WRKGRP]\[P002556$]. local host [NULL] > [2017/11/23 04:47:32.170564, 3] ../auth/auth_log.c:760(log_authentication_event_human_readable) > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017 04:47:32.170557 CET] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:1.2.3.30:62828] became [WRKGRP]\[P002556$] [S-1-5-21-90834550-981288634-869225949-132733]. local host [NULL]First NT_STATUS_WRONG_PASSWORD, immediately followed by NT_STATUS_OK for the same workstation. We can domain-logon onto the workstation, I can open AD shares including \\samba-dc2, \\member_server, etc. All without problem. So the domain password / join appears to be correct. P002556$@SAMBA.COMPANY.COM is running windows server 2008 Enterprise, SP2. Could anyone think of other reasons why the above error could come up on the DC logs? MJ
On Thu, 2017-11-23 at 13:54 +0100, mj via samba wrote:> Hi, > > Since samba 4.7 I have setup auth logging, and while I can relate most > failed passwords to users mistyping a password, there is one kind that I > don't understand, happening across our samba-DCs. > > Things work without issues, but I'm just being curious. :-) > > > [2017/11/23 04:47:32.166753, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) > > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017 04:47:32.166711 CET] with [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:1.2.3.30:62827] mapped to [WRKGRP]\[P002556$]. local host [NULL] > > [2017/11/23 04:47:32.170564, 3] ../auth/auth_log.c:760(log_authentication_event_human_readable) > > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017 04:47:32.170557 CET] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:1.2.3.30:62828] became [WRKGRP]\[P002556$] [S-1-5-21-90834550-981288634-869225949-132733]. local host [NULL] > > First NT_STATUS_WRONG_PASSWORD, immediately followed by NT_STATUS_OK for > the same workstation. > > We can domain-logon onto the workstation, I can open AD shares including > \\samba-dc2, \\member_server, etc. All without problem. So the domain > password / join appears to be correct. > > P002556$@SAMBA.COMPANY.COM is running windows server 2008 Enterprise, SP2. > > Could anyone think of other reasons why the above error could come up on > the DC logs?It might be speculative pre-authentication with the wrong salt, and then coming back with the password using the right salt. A network trace might show more. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
For the archives: On 23-11-2017 13:54, mj via samba wrote:>> [2017/11/23 04:47:32.166753, 2] >> ../auth/auth_log.c:760(log_authentication_event_human_readable) >> Auth: [Kerberos KDC,ENC-TS Pre-authentication] user >> [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017 >> 04:47:32.166711 CET] with [arcfour-hmac-md5] status >> [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host >> [ipv4:1.2.3.30:62827] mapped to [WRKGRP]\[P002556$]. local host [NULL] >> [2017/11/23 04:47:32.170564, 3] >> ../auth/auth_log.c:760(log_authentication_event_human_readable) >> Auth: [Kerberos KDC,ENC-TS Pre-authentication] user >> [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017 >> 04:47:32.170557 CET] with [arcfour-hmac-md5] status [NT_STATUS_OK] >> workstation [(null)] remote host [ipv4:1.2.3.30:62828] became >> [WRKGRP]\[P002556$] [S-1-5-21-90834550-981288634-869225949-132733]. >> local host [NULL] > > First NT_STATUS_WRONG_PASSWORD, immediately followed by NT_STATUS_OK for > the same workstation.The messages disappeared after the windows 2008 domain member was rebooted. Some windows glitch I guess. :-) MJ