Mark Foley
2018-Jun-06 17:48 UTC
[Samba] Why am I getting login failures for domain members?
No ideas on this? Anybody? --Mark -----Original Message----- Date: Tue, 29 May 2018 09:27:36 -0400 Organization: Ohio Highway Patrol Retirement System To: samba at lists.samba.org Subject: [Samba] Why am I getting login failures for domain members? Every so often I get a message in /var/log/samba/log.samba as follows: 2018/05/26 13:44:25.172415, 2] authentication for user [HPRS/LABRAT$] FAILED with error NT_STATUS_WRONG_PASSWORD Normally, I get this when a user types in the wrong password. However, in this case LABRAT$ is not a user but rather a Linux domain member computer. This happens periodically on every Linux domain member on the domain. Why? Is it a problem? Is there something I can do to fix this? --Mark
lingpanda101
2018-Jun-06 19:39 UTC
[Samba] Why am I getting login failures for domain members?
On 6/6/2018 1:48 PM, Mark Foley via samba wrote:> No ideas on this? Anybody? > > --Mark > > -----Original Message----- > Date: Tue, 29 May 2018 09:27:36 -0400 > Organization: Ohio Highway Patrol Retirement System > To: samba at lists.samba.org > Subject: [Samba] Why am I getting login failures for domain members? > > Every so often I get a message in /var/log/samba/log.samba as follows: > > 2018/05/26 13:44:25.172415, 2] authentication for user [HPRS/LABRAT$] FAILED with error NT_STATUS_WRONG_PASSWORD > > Normally, I get this when a user types in the wrong password. However, in this case LABRAT$ is > not a user but rather a Linux domain member computer. This happens periodically on every Linux > domain member on the domain. > > Why? Is it a problem? Is there something I can do to fix this? > > --Mark >Mark, I don't have any Linux members but it isn't uncommon to see this log for windows devices. A case where I would expect to see this if the machine was off for 30+ days and then turned on. If memory serves me this is negotiated every 30 days via the default domain policy. Anything in the syslog files of your member computers? I would look around the time stamp of the authentication request. Is it when it's powered on? -James
Mark Foley
2018-Jun-07 04:43 UTC
[Samba] Why am I getting login failures for domain members?
On Wed, 6 Jun 2018 15:39:22 -0400 lingpanda101 <lingpanda101 at gmail.com> wrote:> > On 6/6/2018 1:48 PM, Mark Foley via samba wrote: > > No ideas on this? Anybody? > > > > --Mark > > > > -----Original Message----- > > Date: Tue, 29 May 2018 09:27:36 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: samba at lists.samba.org > > Subject: [Samba] Why am I getting login failures for domain members? > > > > Every so often I get a message in /var/log/samba/log.samba as follows: > > > > 2018/05/26 13:44:25.172415, 2] authentication for user [HPRS/LABRAT$] FAILED with error NT_STATUS_WRONG_PASSWORD > > > > Normally, I get this when a user types in the wrong password. However, in this case LABRAT$ is > > not a user but rather a Linux domain member computer. This happens periodically on every Linux > > domain member on the domain. > > > > Why? Is it a problem? Is there something I can do to fix this? > > > > --Mark > > > Mark, > > I don't have any Linux members but it isn't uncommon to see this > log for windows devices. A case where I would expect to see this if the > machine was off for 30+ days and then turned on. If memory serves me > this is negotiated every 30 days via the default domain policy. > > Anything in the syslog files of your member computers? I would look > around the time stamp of the authentication request. Is it when it's > powered on? > > -James >James - thanks for your reply. Actually, most of the office workstations are Windows 7 and I've never seen this message from a Windows 7 domain member. All the Linux domain members do generate this message. None of the workstations are ever turned off. This message occurs much more frequently than 30 days, from 6 to 9 times a month, sometimes twice in the same day. I checked the syslog as you suggested and there is an interesting correlation. At the same time the Samba AD/DC logs the message shown in my post, I get the following in syslog: Jun 4 18:47:02 ccarter winbindd[1359]: [2018/06/04 18:47:02.059311, 0] ../source3/libads/kerberos_util.c:74(ads_kinit_password) Jun 4 18:47:02 ccarter winbindd[1359]: kerberos_kinit_password CCARTER$@HPRS.LOCAL failed: Preauthentication failed Interestingly, ahead of these two message are the following: Jun 4 18:43:08 ccarter winbindd[1359]: [2018/06/04 18:43:08.051810, 0] ../source3/libsmb/trusts_util.c:272(trust_pw_change) Jun 4 18:43:08 ccarter winbindd[1359]: 2018/06/04 18:43:08 : trust_pw_change(HPRS): Verified old password remotely using netlogon_creds_cli:CLI[CCARTER/CCARTER$]/SRV[MAIL/HPRS] Jun 4 18:43:08 ccarter winbindd[1359]: [2018/06/04 18:43:08.064049, 0] ../source3/libsmb/trusts_util.c:314(trust_pw_change) Jun 4 18:43:08 ccarter winbindd[1359]: 2018/06/04 18:43:08 : trust_pw_change(HPRS): Changed password locally Jun 4 18:43:08 ccarter winbindd[1359]: [2018/06/04 18:43:08.910921, 0] ../source3/libsmb/trusts_util.c:330(trust_pw_change) Jun 4 18:43:08 ccarter winbindd[1359]: 2018/06/04 18:43:08 : trust_pw_change(HPRS): Changed password remotely using netlogon_creds_cli:CLI[CCARTER/CCARTER$]/SRV[MAIL/HPRS] Jun 4 18:43:08 ccarter winbindd[1359]: [2018/06/04 18:43:08.912720, 0] ../source3/libsmb/trusts_util.c:363(trust_pw_change) Jun 4 18:43:08 ccarter winbindd[1359]: 2018/06/04 18:43:08 : trust_pw_change(HPRS): Verified new password remotely using netlogon_creds_cli:CLI[CCARTER/CCARTER$]/SRV[MAIL/HPRS] So, something related to winbindd is requesting some sort of password change which, as far as I can tell from the above, succeeds. But the subsequent "Preauthentication" fails. After that, numerous message as follows occur at about 5 minute intervals, forever: Jun 4 18:51:21 ccarter nmbd[1310]: [2018/06/04 18:51:21.891422, 0] ../source3/nmbd/nmbd_namequery.c:109(query_name_response) Jun 4 18:51:21 ccarter nmbd[1310]: query_name_response: Multiple (2) responses received for a query on subnet 192.168.0.60 for name HPRS<1d>. Perhaps this is all normal and as expected. Still, why is windbindd requesting a password for the computer itself (CCARTER$)? What is this password? I've certainly never set a computer password (that I know of) and it is certainly not the login user's password. If this is all "normal", fine, I won't worry about it. But, I'm curious as to what this is about if you or anyone knows, or could direct me to more detail on the web. THX --Mark