Ah ha! I believe I've solved this. I checked the Windows credentials
repository. There was a
'mark' ID and likely an old password stored there. I deleted that
credential, rebooted, and no
more lock out message.
During the past year, the 'classic' Samba file server was added as a
domain member and all
domain member workstations then had to use domain credentials for mapping
drives. As
mentioned, on this particular host I log in as the domain administrator to do
things like ADUC.
Once upon a time it also mapped a share, but since the dom administrator is not
a normal domain
user, its credentials didn't work (I posted a thread about that here last
year). So, I mapped
the drive using a normal domain user's credentials. I've long since NOT
mapped that drive and
forgot that I had once done that.
Recently, the 'mark' password expired and I had to change it.
That's when the trouble started,
which makes sense since the credential repository certainly had the old
password.
What's interesting is that Windows apparently tries to validate the
repository credentials when
the admin user logs on even if no mapping is happening. I guess it does that at
login time
just in case.
--Mark
-----Original Message-----
Date: Sat, 19 Jan 2019 16:38:29 -0500
To: samba at lists.samba.org
Subject: Re: [Samba] NT_STATUS_ACCOUNT_LOCKED_OUT
From: Mark Foley via samba <samba at lists.samba.org>
On Sat, 19 Jan 2019 19:03:58 +0000 Rowland Penny wrote:>
> On Sat, 19 Jan 2019 13:37:18 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > I sure could use some help on this. Perhaps this problem is due to a
> > recent Windows update?
> >
> > I have determined that whenever I log into the Windows 7 host
> > DBSERVER from any other Windows 7 computer, whether it be a local
> > domain workstation or an external computer, and regarless of whether
> > the client workstation is logged in as 'mark' or any other
user, I
> > have the lockout problem.
> >
> > As soon as I log into Windows 7 host dbserver as the domain
> > administrator I immediately see series 10 to 15 of the following
> > log.samba messages:
> >
> > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > [(null)]\[mark at HPRS] at [Sat, 19 Jan 2019 12:18:27.881822 EST] with
> > [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation
> > [(null)] remote host [ipv4:192.168.0.4:53914] mapped to
> > [HPRS]\[mark]. local host [NULL]
> >
> > Then, if I try to log into ANY domain member as user 'mark' I
cannot
> > and the log.samba has:
> >
> > auth_check_password_recv: sam authentication for user [HPRS\mark]
> > FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT, authoritative=1 Auth:
> > [SamLogon,network] user [HPRS]\[mark] at [Sat, 19 Jan 2019
> > 12:28:06.590937 EST] with [NTLMv2] status
> > [NT_STATUS_ACCOUNT_LOCKED_OUT] workstation [WIN7VM] remote host
> > [ipv4:192.168.0.4:54336] mapped to [HPRS]\[mark]. local host
> > [ipv4:192.168.0.2:49153] NETLOGON computer [DBSERVER] trust account
> > [DBSERVER$]
> >
> > The administrator user does not map any drives or otherwise seem to
> > run anything as user 'mark'.
> >
> > I cannot figure out why something is trying to login/connect as user
> > 'mark' with an invalid password even when logging in as the
> > administrator, not 'mark'.
> >
> > Furthermore, when I do actually log into this computer as
'mark' and
> > enter the correct PW, it works fine, no Auth errors.
> >
> > Could someone point me in the right direction for research?
> >
> > --Mark
> >
>
> If this is only happening with one PC, then you need to check that PC.
> It looks like something is trying to do something it probably
> shouldn't, I take it you have a run a deep virus scan ?
>
> Rowland
Yes, this is the only machine it's happening on. I've tried logging into
other domain member
workstations as the domain admin, and no such errors/lockout occur.
> It looks like something is trying to do something it probably
shouldn't,
Any idea what it could be? This computer has been a Samba4 domain member for
about 4 years. It
is a server, no email, no network attached drives, no normal users log in except
for me as the
administrator to occasionally run ADUC and also to occasionalyy run/configure
Acronis backup
(which I've now deleted from the system in case that was the problem -- it
wasn't); and I log
in as 'mark' to run SQL Server Management Studio. As mentioned, when I
actually log in as
'mark' I have lockout consequences.
I've sent another response on this to Andrew Bartlett with kerberos logging
info.
I have run, and am running now, a virus scan. So far nothing bad found.
--Mark
(Rowland sorry about the partial message sent to your personal account. The send
button got
away from me)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba