samba - Apr 2018 - Account lockouts caused by SAMBA + WinBind do not report "Caller Computer Name" in security audit

Hello all,

We are troubleshooting an issue that when SAMBA is joined to a Windows 
domain controller as a member server that has password failure lockouts 
configured, the Windows security auditing does not show the "Caller 
Computer Name" in the event ID generated (4740).

We are using Samba 4.6.2 from CentOS 7. We posted a Bugzilla at Red Hat 
here: https://bugzilla.redhat.com/show_bug.cgi?id=1563425

The Bugzilla request contains images showing the security audit issue.

Does anyone know what might cause this?


--
Eric Wheeler

On Mon, 2018-04-09 at 17:49 +0000, Eric Wheeler via samba
wrote:
> Hello all,
> 
> We are troubleshooting an issue that when SAMBA is joined to a Windows 
> domain controller as a member server that has password failure lockouts 
> configured, the Windows security auditing does not show the "Caller 
> Computer Name" in the event ID generated (4740).
> 
> We are using Samba 4.6.2 from CentOS 7. We posted a Bugzilla at Red Hat 
> here: https://bugzilla.redhat.com/show_bug.cgi?id=1563425
> 
> The Bugzilla request contains images showing the security audit issue.
> 
> Does anyone know what might cause this?
You clarified on the bug that this is when using Kerberos.  The name
used is either from the FAST wrapper (not supported by Samba) or most
likely the netbios host name given as an additional, un-authenticated
'client address'.  

Sadly using FAST hasn't yet been implemented in winbindd but the code
looks like it sends the netbios name.  

A network trace comparing your two cases (presuming you have seen
windows fill this in for Kerberos) would show the difference and
suggest what would need to be implemented.

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba