On Sat, 2019-01-19 at 13:37 -0500, Mark Foley via samba wrote:> I sure could use some help on this. Perhaps this problem is due to a > recent Windows update? > > Furthermore, when I do actually log into this computer as 'mark' and > enter the correct PW, it > works fine, no Auth errors. > > Could someone point me in the right direction for research?Turn up the Samba log level further so you get the Kerberos: messages from the internal Heimdal KDC. That may help us see what is going wrong. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Sun, 20 Jan 2019 08:06:26 +1300 Andrew Bartlett wrote:> > On Sat, 2019-01-19 at 13:37 -0500, Mark Foley via samba wrote: > > I sure could use some help on this. Perhaps this problem is due to a > > recent Windows update? > > > > Furthermore, when I do actually log into this computer as 'mark' and > > enter the correct PW, it > > works fine, no Auth errors. > > > > Could someone point me in the right direction for research? > > Turn up the Samba log level further so you get the Kerberos: messages > from the internal Heimdal KDC. That may help us see what is going > wrong. > > Andrew Bartlett > --Andrew, added kerberos:10 to samba Log Level. Got the following: [2019/01/19 16:12:48.582972, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ mark at HPRS from ipv4:192.168.0.4:63581 for krbtgt/HPRS at HPRS [2019/01/19 16:12:48.584099, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: encrypted-timestamp, 128 [2019/01/19 16:12:48.584109, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- mark at HPRS [2019/01/19 16:12:48.584113, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client (mark at HPRS) is locked out I've not seen the syntax mark at OHPRS before. Is this legit? Normally, I see HPRS\mark where HPRS is the domain (hprs.local) and mark is the user. Does this provide some clues? Is something messed up with my kerberos settings? --Mark
On Sat, 19 Jan 2019 16:26:21 -0500 Mark Foley via samba <samba at lists.samba.org> wrote:> On Sun, 20 Jan 2019 08:06:26 +1300 Andrew Bartlett wrote: > > > > On Sat, 2019-01-19 at 13:37 -0500, Mark Foley via samba wrote: > > > I sure could use some help on this. Perhaps this problem is due > > > to a recent Windows update? > > > > > > Furthermore, when I do actually log into this computer as 'mark' > > > and enter the correct PW, it > > > works fine, no Auth errors. > > > > > > Could someone point me in the right direction for research? > > > > Turn up the Samba log level further so you get the Kerberos: > > messages from the internal Heimdal KDC. That may help us see what > > is going wrong. > > > > Andrew Bartlett > > -- > > Andrew, added kerberos:10 to samba Log Level. Got the following: > > > [2019/01/19 16:12:48.582972, > 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ mark at HPRS from ipv4:192.168.0.4:63581 for > krbtgt/HPRS at HPRS >To me, it looks like something is trying to kinit as 'mark at HPRS', which, as your original post shows, is getting mapped to '[HPRS]\[mark]', that post also shows that it is getting '[NT_STATUS_WRONG_PASSWORD]', enough of these and the account gets locked out. I think you need to find what is trying to kinit and stop it, or make it use the correct authentication. Failing that, you could try the universal Windows fix, reinstall Windows ;-) Rowland