Hello, I have set up audit logging and I find many entries of this type : ./auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [MYDOMAIN]\[MYWORKSTATION$] at [mar., 23 juil. 2019 07:49:43.486619 -03] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MYWORKSTATION] remote host [ipv4:10.x.x.x:49472] mapped to [MYDOMAIN]\[MYWORKSTATION$]. local host What does it mean ? When a domain user connect to the share, I find entries of this type : ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [MYDOMAIN]\[user1] at [mar., 23 juil. 2019 11:03:23.304088 -03] with [NTLMv2] status [NT_STATUS_OK] workstation [MYWORKSTATION] remote host [ipv4:10.x.x.x:50090] became [MYDOMAIN]\[user1] EdG
On 24/07/2019 15:31, Edouard Guign? via samba wrote:> Hello, > > I have set up audit logging and I find many entries of this type : > > ./auth/auth_log.c:760(log_authentication_event_human_readable) Auth: > [SMB2,(null)] user [MYDOMAIN]\[MYWORKSTATION$] at [mar., 23 juil. 2019 > 07:49:43.486619 -03] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] > workstation [MYWORKSTATION] remote host [ipv4:10.x.x.x:49472] mapped > to [MYDOMAIN]\[MYWORKSTATION$]. local host > > What does it mean ?I would have thought that this was obvious, a computer has connected to the domain, you are aware that a computer is just a user with an extra objectclass and extra attributes ? Rowland
I ask because I would like to be reassured about it, because there are so many entries of this type in my logs. The windows workstations are joined to the domain. At users sessions log on, a script mounts the samba share on each windows users sessions. I do not understand why a workstation joined to the domain tries to auth against samba ; because only domain users can auth successfully against my samba server. EdG Le 24/07/2019 ? 11:46, Rowland penny via samba a ?crit?:> On 24/07/2019 15:31, Edouard Guign? via samba wrote: >> Hello, >> >> I have set up audit logging and I find many entries of this type : >> >> ./auth/auth_log.c:760(log_authentication_event_human_readable) Auth: >> [SMB2,(null)] user [MYDOMAIN]\[MYWORKSTATION$] at [mar., 23 juil. >> 2019 07:49:43.486619 -03] with [NTLMv2] status >> [NT_STATUS_NO_SUCH_USER] workstation [MYWORKSTATION] remote host >> [ipv4:10.x.x.x:49472] mapped to [MYDOMAIN]\[MYWORKSTATION$]. local host >> >> What does it mean ? > I would have thought that this was obvious, a computer has connected > to the domain, you are aware that a computer is just a user with an > extra objectclass and extra attributes ? > > Rowland > > > > >