On Mon, 16 Apr 2018 14:12:02 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> Still having daily problems. Yesterday, again, I reset the user > password from the AD/DC as the domain administrator: samba-tool user > setpassword mark > > Today, I was unable to log in. The only message in the log.samba file > is: > > [2018/04/16 14:02:12.199145, > 2] ../source4/auth/ntlm/auth.c:430(auth_check_password_recv) > auth_check_password_recv: sam_ignoredomain authentication for user > [HPRS\mark] FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT > > There are no preceeding messages with invalid passwords, etc. If I > reset the password as domain administrator I get locked out sometime > a day later. This is consistently repeatable. > > How do I fix this? This is an urgent problem. > > If this list is not the right place for this question, please advise. >The problem is that the locking out probably has nothing to do with the password change, other than the password has been changed. See here for what to check for: https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/ The other problem is, you really need Samba 4.7.0 onwards to get the authentication attempts in the logs, so it looks like you need to upgrade, but do not upgrade to 4.8.0 There is probably something trying to auth with a stale password, but with your Samba version it will be hard to discover what. Rowland
On Mon, 16 Apr 2018 19:46:35 +0100 Rowland Penny <rpenny at samba.org> wrote:> > On Mon, 16 Apr 2018 14:12:02 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > Still having daily problems. Yesterday, again, I reset the user > > password from the AD/DC as the domain administrator: samba-tool user > > setpassword mark > > > > Today, I was unable to log in. The only message in the log.samba file > > is: > > > > [2018/04/16 14:02:12.199145, > > 2] ../source4/auth/ntlm/auth.c:430(auth_check_password_recv) > > auth_check_password_recv: sam_ignoredomain authentication for user > > [HPRS\mark] FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT > > > > There are no preceeding messages with invalid passwords, etc. If I > > reset the password as domain administrator I get locked out sometime > > a day later. This is consistently repeatable. > > > > How do I fix this? This is an urgent problem. > > > > If this list is not the right place for this question, please advise. > > > > The problem is that the locking out probably has nothing to do > with the password change, other than the password has been changed. > > See here for what to check for: > > https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/ > > The other problem is, you really need Samba 4.7.0 onwards to get the > authentication attempts in the logs, so it looks like you need to > upgrade, but do not upgrade to 4.8.0 > > There is probably something trying to auth with a stale password, but > with your Samba version it will be hard to discover what. > > RowlandI think I've found the culprit. I have a Windows 7 SQL Server host. Unfortunately, I was in the habit of logging onto that machine as the Domain Administrator, which included mapping Samba shares as that user. When I changed the Samba server to be a domain member I was no longer able to map shares from this SQL Server as the Domain Administrator (because the domain administrator is not a member of Domain Users. I posted a thread on this in this list: "Domain Administrator cannot map Samba Share from Windows 7"). So, even though logged in as the Domain Administrator I started mapping the Samba shares with another domain user's credentials. That worked. However, I believe when I change the password for that domain user, the Samba mapping on the SQL Server host does not use the new credentials. I noticed that I was able to use the new credentials for a week or more at a time as long as I didn't log onto the SQL Server host as the Domain Administrator. But, shortly after logging into the SQL Server host as the Domain Administrator I got the locked out message. My guess is that the SQL Server host repeatedly attempted to reconnect the mapped drive using the now expired credentials until the max number of failed attempts was exceeded. Just a guess as there are no log messages about this on the AD/DC or the Samba share host. You (Roland) mention, "you really need Samba 4.7.0 onwards to get the authentication attempts in the logs". I do currently get actual login attempt failures in the samba log, but apparently not share mapping attempts. I'll likely stick with 4.4.16 as that is the current release for my distro, but I do look forward to more logging in a future upgrade. Meanwhile, I've unmapped all the mapped drives from the SQL Server Administrator account and have taken to logging on to that host as a domain user, not as the Domain Administrator. So far, no lock-out issues even though I've logged into that host numerous times. I still need to test after changing the user PW once again, but I'm giving these current credentials a couple of weeks to be sure of this phase. --Mark
On Fri, 04 May 2018 13:24:36 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> On Mon, 16 Apr 2018 19:46:35 +0100 Rowland Penny <rpenny at samba.org> > wrote: > > > > On Mon, 16 Apr 2018 14:12:02 -0400 > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > Still having daily problems. Yesterday, again, I reset the user > > > password from the AD/DC as the domain administrator: samba-tool > > > user setpassword mark > > > > > > Today, I was unable to log in. The only message in the log.samba > > > file is: > > > > > > [2018/04/16 14:02:12.199145, > > > 2] ../source4/auth/ntlm/auth.c:430(auth_check_password_recv) > > > auth_check_password_recv: sam_ignoredomain authentication for user > > > [HPRS\mark] FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT > > > > > > There are no preceeding messages with invalid passwords, etc. If I > > > reset the password as domain administrator I get locked out > > > sometime a day later. This is consistently repeatable. > > > > > > How do I fix this? This is an urgent problem. > > > > > > If this list is not the right place for this question, please > > > advise. > > > > > > > The problem is that the locking out probably has nothing to do > > with the password change, other than the password has been changed. > > > > See here for what to check for: > > > > https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/ > > > > The other problem is, you really need Samba 4.7.0 onwards to get the > > authentication attempts in the logs, so it looks like you need to > > upgrade, but do not upgrade to 4.8.0 > > > > There is probably something trying to auth with a stale password, > > but with your Samba version it will be hard to discover what. > > > > Rowland > > I think I've found the culprit. > > I have a Windows 7 SQL Server host. Unfortunately, I was in the > habit of logging onto that machine as the Domain Administrator, which > included mapping Samba shares as that user. When I changed the Samba > server to be a domain member I was no longer able to map shares from > this SQL Server as the Domain Administrator (because the domain > administrator is not a member of Domain Users. I posted a thread on > this in this list: "Domain Administrator cannot map Samba Share from > Windows 7"). So, even though logged in as the Domain Administrator I > started mapping the Samba shares with another domain user's > credentials. That worked. > > However, I believe when I change the password for that domain user, > the Samba mapping on the SQL Server host does not use the new > credentials. I noticed that I was able to use the new credentials > for a week or more at a time as long as I didn't log onto the SQL > Server host as the Domain Administrator. But, shortly after logging > into the SQL Server host as the Domain Administrator I got the locked > out message. My guess is that the SQL Server host repeatedly > attempted to reconnect the mapped drive using the now expired > credentials until the max number of failed attempts was exceeded. > Just a guess as there are no log messages about this on the AD/DC or > the Samba share host.I did ask if something was using the wrong password, this is usually the reason for locked accounts.> > You (Roland) mention, "you really need Samba 4.7.0 onwards to get the > authentication attempts in the logs". I do currently get actual > login attempt failures in the samba log, but apparently not share > mapping attempts. I'll likely stick with 4.4.16 as that is the > current release for my distro, but I do look forward to more logging > in a future upgrade.You really need to consider if using Slackware is such a good idea. I know the basis behind it, the packages it offers have had all the bugs ironed out. I wish this was true, it isn't. As far as Samba is concerned, the 4.4 series is EOL and will not get any further updates. So if you need something that has been added to later versions, you have to rely on Slackware backporting it. I see that 'slackware-current' has 4.8.1, I would suggest you seeing if there is any way of using this, but you cannot upgrade to 4.8.1 because of a known bug. Rowland