lingpanda101
2018-Mar-06 17:31 UTC
[Samba] Workstation authentication and authorization failed event
Hello, I've recently enabled authentication logging and it's been working well. Today I see a failure for a workstation. Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[pc-45 at DOMAIN.LOCAL] at [Tue, 06 Mar 2018 11:42:15.767915 EST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:172.16.25.47:61738] mapped to [DOMAIN]\[PC-45]. local host [NULL] In the past this was due to replication failure on a DC. However I'm not sure how to interpret this log. I would expect to see something like PC-45$@DOMAIN.LOCAL. Without the dollar sign it looks as if someone attempted to sign in locally with the username 'PC-45'. I'm in the early stages of investigation but am I correct in this thought process? Thanks. -- -- James
Andrew Bartlett
2018-Mar-06 19:22 UTC
[Samba] Workstation authentication and authorization failed event
On Tue, 2018-03-06 at 12:31 -0500, lingpanda101 via samba wrote:> In the past this was due to replication failure on a DC. However I'm > not sure how to interpret this log. I would expect to see something > like PC-45$@DOMAIN.LOCAL. Without the dollar sign it looks as if > someone attempted to sign in locally with the username 'PC-45'. I'm > in the early stages of investigation but am I correct in this thought > process? Thanks.For reasons unknown some parts of windows drop the $ so we have to allow that as well. We have tests we ran against windows to verify that. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba