Mark Foley
2018-Jun-07 04:43 UTC
[Samba] Why am I getting login failures for domain members?
On Wed, 6 Jun 2018 15:39:22 -0400 lingpanda101 <lingpanda101 at gmail.com> wrote:> > On 6/6/2018 1:48 PM, Mark Foley via samba wrote: > > No ideas on this? Anybody? > > > > --Mark > > > > -----Original Message----- > > Date: Tue, 29 May 2018 09:27:36 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: samba at lists.samba.org > > Subject: [Samba] Why am I getting login failures for domain members? > > > > Every so often I get a message in /var/log/samba/log.samba as follows: > > > > 2018/05/26 13:44:25.172415, 2] authentication for user [HPRS/LABRAT$] FAILED with error NT_STATUS_WRONG_PASSWORD > > > > Normally, I get this when a user types in the wrong password. However, in this case LABRAT$ is > > not a user but rather a Linux domain member computer. This happens periodically on every Linux > > domain member on the domain. > > > > Why? Is it a problem? Is there something I can do to fix this? > > > > --Mark > > > Mark, > > I don't have any Linux members but it isn't uncommon to see this > log for windows devices. A case where I would expect to see this if the > machine was off for 30+ days and then turned on. If memory serves me > this is negotiated every 30 days via the default domain policy. > > Anything in the syslog files of your member computers? I would look > around the time stamp of the authentication request. Is it when it's > powered on? > > -James >James - thanks for your reply. Actually, most of the office workstations are Windows 7 and I've never seen this message from a Windows 7 domain member. All the Linux domain members do generate this message. None of the workstations are ever turned off. This message occurs much more frequently than 30 days, from 6 to 9 times a month, sometimes twice in the same day. I checked the syslog as you suggested and there is an interesting correlation. At the same time the Samba AD/DC logs the message shown in my post, I get the following in syslog: Jun 4 18:47:02 ccarter winbindd[1359]: [2018/06/04 18:47:02.059311, 0] ../source3/libads/kerberos_util.c:74(ads_kinit_password) Jun 4 18:47:02 ccarter winbindd[1359]: kerberos_kinit_password CCARTER$@HPRS.LOCAL failed: Preauthentication failed Interestingly, ahead of these two message are the following: Jun 4 18:43:08 ccarter winbindd[1359]: [2018/06/04 18:43:08.051810, 0] ../source3/libsmb/trusts_util.c:272(trust_pw_change) Jun 4 18:43:08 ccarter winbindd[1359]: 2018/06/04 18:43:08 : trust_pw_change(HPRS): Verified old password remotely using netlogon_creds_cli:CLI[CCARTER/CCARTER$]/SRV[MAIL/HPRS] Jun 4 18:43:08 ccarter winbindd[1359]: [2018/06/04 18:43:08.064049, 0] ../source3/libsmb/trusts_util.c:314(trust_pw_change) Jun 4 18:43:08 ccarter winbindd[1359]: 2018/06/04 18:43:08 : trust_pw_change(HPRS): Changed password locally Jun 4 18:43:08 ccarter winbindd[1359]: [2018/06/04 18:43:08.910921, 0] ../source3/libsmb/trusts_util.c:330(trust_pw_change) Jun 4 18:43:08 ccarter winbindd[1359]: 2018/06/04 18:43:08 : trust_pw_change(HPRS): Changed password remotely using netlogon_creds_cli:CLI[CCARTER/CCARTER$]/SRV[MAIL/HPRS] Jun 4 18:43:08 ccarter winbindd[1359]: [2018/06/04 18:43:08.912720, 0] ../source3/libsmb/trusts_util.c:363(trust_pw_change) Jun 4 18:43:08 ccarter winbindd[1359]: 2018/06/04 18:43:08 : trust_pw_change(HPRS): Verified new password remotely using netlogon_creds_cli:CLI[CCARTER/CCARTER$]/SRV[MAIL/HPRS] So, something related to winbindd is requesting some sort of password change which, as far as I can tell from the above, succeeds. But the subsequent "Preauthentication" fails. After that, numerous message as follows occur at about 5 minute intervals, forever: Jun 4 18:51:21 ccarter nmbd[1310]: [2018/06/04 18:51:21.891422, 0] ../source3/nmbd/nmbd_namequery.c:109(query_name_response) Jun 4 18:51:21 ccarter nmbd[1310]: query_name_response: Multiple (2) responses received for a query on subnet 192.168.0.60 for name HPRS<1d>. Perhaps this is all normal and as expected. Still, why is windbindd requesting a password for the computer itself (CCARTER$)? What is this password? I've certainly never set a computer password (that I know of) and it is certainly not the login user's password. If this is all "normal", fine, I won't worry about it. But, I'm curious as to what this is about if you or anyone knows, or could direct me to more detail on the web. THX --Mark
Rowland Penny
2018-Jun-07 07:03 UTC
[Samba] Why am I getting login failures for domain members?
On Thu, 07 Jun 2018 00:43:47 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> Perhaps this is all normal and as expected. Still, why is windbindd > requesting a password for the computer itself (CCARTER$)? What is > this password? I've certainly never set a computer password (that I > know of) and it is certainly not the login user's password. > > If this is all "normal", fine, I won't worry about it. But, I'm > curious as to what this is about if you or anyone knows, or could > direct me to more detail on the web. >Even computers have passwords in AD and no, you don't set it, it is set for you and is replaced every month. If you run this on a DC: ldbsearch -H /var/lib/samba/private/sam.ldb -b dc=samdom,dc=example,dc=com -s sub '(&(objectclass=computer)(name=devstation))' unicodepwd You can see the encoded password. Just replace the data with your data. Rowland
Mark Foley
2018-Jun-07 14:59 UTC
[Samba] Why am I getting login failures for domain members?
On Thu, 7 Jun 2018 08:03:56 +0100 Rowland Penny wrote:> > On Thu, 07 Jun 2018 00:43:47 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > Perhaps this is all normal and as expected. Still, why is windbindd > > requesting a password for the computer itself (CCARTER$)? What is > > this password? I've certainly never set a computer password (that I > > know of) and it is certainly not the login user's password. > > > > If this is all "normal", fine, I won't worry about it. But, I'm > > curious as to what this is about if you or anyone knows, or could > > direct me to more detail on the web. > > > > Even computers have passwords in AD and no, you don't set it, it is set > for you and is replaced every month. > > If you run this on a DC: > > ldbsearch -H /var/lib/samba/private/sam.ldb -b > dc=samdom,dc=example,dc=com -s sub > '(&(objectclass=computer)(name=devstation))' unicodepwd > > You can see the encoded password. > > Just replace the data with your data. > > RowlandHmmm, OK then I guess it's normal. I ran your ldbsearch command and did get back a value. I've no intention of replacing it. A bit puzzling about the "every month" bit. As mentioned in my OP, I'm seeing this from between 5 and 9 times a month per Linux workstation, sometimes twice in the same day. Could be my older version of samba (4.4.16), but in any case I'll not worry about it. Thanks, --Mark