I'm having a very annoying problem I can't figure out. I've been running Samba4 as our office AD/DC for several years. This is a recent problem. Whenever I Remote Desktop into a particular Windows workstation (192.168.0.4) I get the following message in /var/log/samba/log.samba: Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[mark at HPRS] at [Thu, 17 Jan 2019 18:43:26.477871 EST] with [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.0.4:54315] mapped to [HPRS]\[mark]. local host [NULL] This message repeats in groups of 3 every 5 minutes for as long as I am logged into this computer. It does not matter if I am remoting in from another Windows host on the LAN (as domain user 'mark') or if I am logging from a remote, non-domain computer. I am not logging into the target computer as my domain id 'mark'. When logging in from a LAN workstations, I am logged into the original workstation as domain user 'mark', but when logging in from a remote computer I am not user 'mark' on any remote. I am remote desktopping into the target computer as the AD Domain Administrator. So, I don't know where it's getting the "user [(null)]\[mark at HPRS]" bit from. After some period of time (or some number of "wrong password" messages), my account gets locked out. The next time I try logging in from Remote desktop, or if I try ntlm_auth, I get the following message: auth_check_password_recv: sam authentication for user [HPRS\mark] FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT, authoritative=1 [2019/01/17 00:24:22.733958, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) At this point I have to go into ADUC and disable and re-enable the user account in order to be able to log back in. Does anyone have any idea what is going on and how to fix this? THX --Mark
I sure could use some help on this. Perhaps this problem is due to a recent Windows update? I have determined that whenever I log into the Windows 7 host DBSERVER from any other Windows 7 computer, whether it be a local domain workstation or an external computer, and regarless of whether the client workstation is logged in as 'mark' or any other user, I have the lockout problem. As soon as I log into Windows 7 host dbserver as the domain administrator I immediately see series 10 to 15 of the following log.samba messages: Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[mark at HPRS] at [Sat, 19 Jan 2019 12:18:27.881822 EST] with [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.0.4:53914] mapped to [HPRS]\[mark]. local host [NULL] Then, if I try to log into ANY domain member as user 'mark' I cannot and the log.samba has: auth_check_password_recv: sam authentication for user [HPRS\mark] FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT, authoritative=1 Auth: [SamLogon,network] user [HPRS]\[mark] at [Sat, 19 Jan 2019 12:28:06.590937 EST] with [NTLMv2] status [NT_STATUS_ACCOUNT_LOCKED_OUT] workstation [WIN7VM] remote host [ipv4:192.168.0.4:54336] mapped to [HPRS]\[mark]. local host [ipv4:192.168.0.2:49153] NETLOGON computer [DBSERVER] trust account [DBSERVER$] The administrator user does not map any drives or otherwise seem to run anything as user 'mark'. I cannot figure out why something is trying to login/connect as user 'mark' with an invalid password even when logging in as the administrator, not 'mark'. Furthermore, when I do actually log into this computer as 'mark' and enter the correct PW, it works fine, no Auth errors. Could someone point me in the right direction for research? --Mark -----Original Message----- Date: Thu, 17 Jan 2019 19:22:16 -0500 To: samba at lists.samba.org Subject: [Samba] NT_STATUS_ACCOUNT_LOCKED_OUT I'm having a very annoying problem I can't figure out. I've been running Samba4 as our office AD/DC for several years. This is a recent problem. Whenever I Remote Desktop into a particular Windows workstation (192.168.0.4) I get the following message in /var/log/samba/log.samba: Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[mark at HPRS] at [Thu, 17 Jan 2019 18:43:26.477871 EST] with [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:192.168.0.4:54315] mapped to [HPRS]\[mark]. local host [NULL] This message repeats in groups of 3 every 5 minutes for as long as I am logged into this computer. It does not matter if I am remoting in from another Windows host on the LAN (as domain user 'mark') or if I am logging from a remote, non-domain computer. I am not logging into the target computer as my domain id 'mark'. When logging in from a LAN workstations, I am logged into the original workstation as domain user 'mark', but when logging in from a remote computer I am not user 'mark' on any remote. I am remote desktopping into the target computer as the AD Domain Administrator. So, I don't know where it's getting the "user [(null)]\[mark at HPRS]" bit from. After some period of time (or some number of "wrong password" messages), my account gets locked out. The next time I try logging in from Remote desktop, or if I try ntlm_auth, I get the following message: auth_check_password_recv: sam authentication for user [HPRS\mark] FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT, authoritative=1 [2019/01/17 00:24:22.733958, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) At this point I have to go into ADUC and disable and re-enable the user account in order to be able to log back in. Does anyone have any idea what is going on and how to fix this? THX --Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Sat, 19 Jan 2019 13:37:18 -0500 Mark Foley via samba <samba at lists.samba.org> wrote:> I sure could use some help on this. Perhaps this problem is due to a > recent Windows update? > > I have determined that whenever I log into the Windows 7 host > DBSERVER from any other Windows 7 computer, whether it be a local > domain workstation or an external computer, and regarless of whether > the client workstation is logged in as 'mark' or any other user, I > have the lockout problem. > > As soon as I log into Windows 7 host dbserver as the domain > administrator I immediately see series 10 to 15 of the following > log.samba messages: > > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user > [(null)]\[mark at HPRS] at [Sat, 19 Jan 2019 12:18:27.881822 EST] with > [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation > [(null)] remote host [ipv4:192.168.0.4:53914] mapped to > [HPRS]\[mark]. local host [NULL] > > Then, if I try to log into ANY domain member as user 'mark' I cannot > and the log.samba has: > > auth_check_password_recv: sam authentication for user [HPRS\mark] > FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT, authoritative=1 Auth: > [SamLogon,network] user [HPRS]\[mark] at [Sat, 19 Jan 2019 > 12:28:06.590937 EST] with [NTLMv2] status > [NT_STATUS_ACCOUNT_LOCKED_OUT] workstation [WIN7VM] remote host > [ipv4:192.168.0.4:54336] mapped to [HPRS]\[mark]. local host > [ipv4:192.168.0.2:49153] NETLOGON computer [DBSERVER] trust account > [DBSERVER$] > > The administrator user does not map any drives or otherwise seem to > run anything as user 'mark'. > > I cannot figure out why something is trying to login/connect as user > 'mark' with an invalid password even when logging in as the > administrator, not 'mark'. > > Furthermore, when I do actually log into this computer as 'mark' and > enter the correct PW, it works fine, no Auth errors. > > Could someone point me in the right direction for research? > > --Mark >If this is only happening with one PC, then you need to check that PC. It looks like something is trying to do something it probably shouldn't, I take it you have a run a deep virus scan ? Rowland
On Sat, 2019-01-19 at 13:37 -0500, Mark Foley via samba wrote:> I sure could use some help on this. Perhaps this problem is due to a > recent Windows update? > > Furthermore, when I do actually log into this computer as 'mark' and > enter the correct PW, it > works fine, no Auth errors. > > Could someone point me in the right direction for research?Turn up the Samba log level further so you get the Kerberos: messages from the internal Heimdal KDC. That may help us see what is going wrong. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba