karel.de.macil at free.fr
2020-Oct-01 17:09 UTC
[Samba] Failed auth attempt i don't understand.
Hi all,
when i try to authenticate against my AD (rdesktop authentication) i got
a wrong password/logname message despite my logname and password
being exact , in the log i have the following .
Nothing wrong for me.
the only strange thing being the : stream_terminate_connection:
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' line
in perticular the second one because just after things seems to continue
with the :
Kerberos: TGS-REQ Administrator at LOCAL.MYDOMAIN from
ipv4:192.168.1.23:62418 for host/vr083023.LOCAL.MYDOMAIN at LOCAL.MYDOMAIN
[canonicalize, renewable, forwardable]
line.
Can anyone with more knowledge than me have an eye on the log and tell
me if he see anything wrong ?
and by the way ,under debian bullseye i can't seems to find anyway to
get the full log of samba.
despite this line :
log level = 6;
in my conf i can' seems to obtain the same level of log i get by doing :
samba -i -d 6 --debug-stderr
if anyone know why, and how i can get my log to this level without
launching my samba in interractive mode , i'm very interested.
best regards
Kerberos: AS-REQ administrator at LOCAL.MYDOMAIN from
ipv4:192.168.1.23:62416 for krbtgt/LOCAL.MYDOMAIN at LOCAL.MYDOMAIN
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
Kerberos: Client sent patypes: 128
Kerberos: Looking for PKINIT pa-data -- administrator at LOCAL.MYDOMAIN
Kerberos: Looking for ENC-TS pa-data -- administrator at LOCAL.MYDOMAIN
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
administrator at LOCAL.MYDOMAIN
stream_terminate_connection: Terminating connection -
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
Kerberos: AS-REQ administrator at LOCAL.MYDOMAIN from
ipv4:192.168.1.23:62417 for krbtgt/LOCAL.MYDOMAIN at LOCAL.MYDOMAIN
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- administrator at LOCAL.MYDOMAIN
Kerberos: Looking for ENC-TS pa-data -- administrator at LOCAL.MYDOMAIN
Kerberos: ENC-TS Pre-authentication succeeded --
administrator at LOCAL.MYDOMAIN using arcfour-hmac-md5
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[administrator at LOCAL.MYDOMAIN] at [Thu, 01 Oct 2020
17:54:36.401984 CEST] with [arcfour-hmac-md5] status [NT_STATUS_OK]
workstation [(null)] remote host [ipv4:192.168.1.23:62417] became
[local]\[Administrator] [S-1-5-21-2718981395-2814295682-4030710678-500].
local host [NULL]
{"timestamp": "2020-10-01T17:54:36.402248+0200",
"type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor":
2}, "eventId": 4624, "logonId":
"28970a9c6c2edc2a", "logonType": 3,
"status": "NT_STATUS_OK", "localAddress": null,
"remoteAddress":
"ipv4:192.168.1.23:62417", "serviceDescription":
"Kerberos KDC",
"authDescription": "ENC-TS Pre-authentication",
"clientDomain": null,
"clientAccount": "administrator at LOCAL.MYDOMAIN",
"workstation": null,
"becameAccount": "Administrator", "becameDomain":
"local", "becameSid":
"S-1-5-21-2718981395-2814295682-4030710678-500",
"mappedAccount":
"Administrator", "mappedDomain": "local",
"netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
null,
"passwordType": "arcfour-hmac-md5", "duration":
7783}}
authsam_account_ok: Checking SMB password for user
administrator at LOCAL.MYDOMAIN
logon_hours_ok: No hours restrictions for user
administrator at LOCAL.MYDOMAIN
lastLogonTimestamp is 132456356073698900
sync interval is 14
randomised sync interval is 12 (-2)
old timestamp is 132456356073698900, threshold 132450044764030630, diff
6311309668270
DSDB Change [Modify] at [Thu, 01 Oct 2020 17:54:36.406688 CEST] status
[Success] remote host [Unknown] SID [S-1-5-18] DN
[CN=Administrator,CN=Users,DC=local,DC=MYDOMAIN] attributes [replace:
lastLogon [132460412764030630] replace: logonCount [19748]]
{"timestamp": "2020-10-01T17:54:36.406926+0200",
"type": "dsdbChange",
"dsdbChange": {"version": {"major": 1,
"minor": 0}, "statusCode": 0,
"status": "Success", "operation":
"Modify", "remoteAddress": null,
"performedAsSystem": false, "userSid": "S-1-5-18",
"dn":
"CN=Administrator,CN=Users,DC=local,DC=MYDOMAIN",
"transactionId":
"e1cf2141-8bf3-4100-bec6-d5be17915e3b", "sessionId":
"2a7c4038-b378-4335-a7ad-81a8d8999bf4", "attributes":
{"lastLogon":
{"actions": [{"action": "replace",
"values": [{"value":
"132460412764030630"}]}]}, "logonCount":
{"actions": [{"action":
"replace", "values": [{"value":
"19748"}]}]}}}}
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
Kerberos: AS-REQ authtime: 2020-10-01T17:54:36 starttime: unset endtime:
2020-10-02T03:54:36 renew till: 2020-10-08T17:54:36
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
forwardable
stream_terminate_connection: Terminating connection -
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
Kerberos: TGS-REQ Administrator at LOCAL.MYDOMAIN from
ipv4:192.168.1.23:62418 for host/vr083023.LOCAL.MYDOMAIN at LOCAL.MYDOMAIN
[canonicalize, renewable, forwardable]
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
Kerberos: TGS-REQ authtime: 2020-10-01T17:54:36 starttime:
2020-10-01T17:54:36 endtime: 2020-10-02T03:54:36 renew till:
2020-10-08T17:54:36
stream_terminate_connection: Terminating connection -
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
On 01/10/2020 18:09, karel de macil via samba wrote:> Hi all, > > when i try to authenticate against my AD (rdesktop authentication) i > got a wrong password/logname message despite my logname and password > being exact , in the log i have the following . > > Nothing wrong for me. > > the only strange thing being the : stream_terminate_connection: > Terminating connection - 'kdc_tcp_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' line > in perticular the second one because just after things seems to > continue with the : > > Kerberos: TGS-REQ Administrator at LOCAL.MYDOMAIN from > ipv4:192.168.1.23:62418 for > host/vr083023.LOCAL.MYDOMAIN at LOCAL.MYDOMAIN [canonicalize, renewable, > forwardable] > > line. > > Can anyone with more knowledge than me have an eye on the log and tell > me if he see anything wrong ? > > > > Kerberos: AS-REQ administrator at LOCAL.MYDOMAIN from > ipv4:192.168.1.23:62416 for krbtgt/LOCAL.MYDOMAIN at LOCAL.MYDOMAINIs this on a DC or a Unix domain member ? Why are you using Administrator on Unix ? Might help if we see your smb.conf Rowland
karel.de.macil at free.fr
2020-Oct-01 18:06 UTC
[Samba] Failed auth attempt i don't understand.
Le 01/10/2020 19:27, Rowland penny via samba a ?crit?:> On 01/10/2020 18:09, karel de macil via samba wrote: >> Hi all, >> >> when i try to authenticate against my AD (rdesktop authentication) i >> got a wrong password/logname message despite my logname and password >> being exact , in the log i have the following . >> >> Nothing wrong for me. >> >> the only strange thing being the : stream_terminate_connection: >> Terminating connection - 'kdc_tcp_call_loop: >> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' line >> in perticular the second one because just after things seems to >> continue with the : >> >> Kerberos: TGS-REQ Administrator at LOCAL.MYDOMAIN from >> ipv4:192.168.1.23:62418 for >> host/vr083023.LOCAL.MYDOMAIN at LOCAL.MYDOMAIN [canonicalize, renewable, >> forwardable] >> >> line. >> >> Can anyone with more knowledge than me have an eye on the log and tell >> me if he see anything wrong ? >> >> >> >> Kerberos: AS-REQ administrator at LOCAL.MYDOMAIN from >> ipv4:192.168.1.23:62416 for krbtgt/LOCAL.MYDOMAIN at LOCAL.MYDOMAIN > > Is this on a DC or a Unix domain member ?this is a remote desktop attempt on a computer who is in the domain managed by the DC from which i get the log> Why are you using Administrator on Unix ?This is the default administrator account in samba4 but the behavior is the same with any account.> Might help if we see your smb.conf[global] netbios name = DC-TEST realm = LOCAL.MYDOMAIN server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns workgroup = IETR idmap_ldb:use rfc2307 = yes dns forwarder = 129.20.128.39 allow dns updates = nonsecure dns update command=/usr/sbin/samba_dnsupdate --use-samba-tool restrict anonymous = 2 printcap name = /dev/null load printers = no disable spoolss = yes printing = bsd log level = 6 #auth_audit:10@/var/log/samba/log.auth_audit disable netbios = yes smb ports = 445 [netlogon] path = /var/lib/samba/sysvol/local.mydomain/scripts read only = No vfs objects = full_audit [sysvol] path = /var/lib/samba/sysvol read only = No vfs objects = full_audit> Rowland
karel.de.macil at free.fr
2020-Oct-02 11:25 UTC
[Samba] Failed auth attempt i don't understand.
Le 01/10/2020 19:09, karel de macil via samba a ?crit?:> Hi all, > > when i try to authenticate against my AD (rdesktop authentication) i > got a wrong password/logname message despite my logname and password > being exact , in the log i have the following . > > Nothing wrong for me. >with more test this happened with both physical or network connection on WINDOWS 10 BUT with windows 7 all still work fluently. If this ring any bells to anyone.> the only strange thing being the : stream_terminate_connection: > Terminating connection - 'kdc_tcp_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' line > in perticular the second one because just after things seems to > continue with the : > > Kerberos: TGS-REQ Administrator at LOCAL.MYDOMAIN from > ipv4:192.168.1.23:62418 for > host/vr083023.LOCAL.MYDOMAIN at LOCAL.MYDOMAIN [canonicalize, renewable, > forwardable] > > line. > > Can anyone with more knowledge than me have an eye on the log and tell > me if he see anything wrong ? > > and by the way ,under debian bullseye i can't seems to find anyway to > get the full log of samba. > despite this line : > log level = 6; > in my conf i can' seems to obtain the same level of log i get by doing > : > > samba -i -d 6 --debug-stderr > > if anyone know why, and how i can get my log to this level without > launching my samba in interractive mode , i'm very interested. > > best regards > > Kerberos: AS-REQ administrator at LOCAL.MYDOMAIN from > ipv4:192.168.1.23:62416 for krbtgt/LOCAL.MYDOMAIN at LOCAL.MYDOMAIN > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > Kerberos: Client sent patypes: 128 > Kerberos: Looking for PKINIT pa-data -- administrator at LOCAL.MYDOMAIN > Kerberos: Looking for ENC-TS pa-data -- administrator at LOCAL.MYDOMAIN > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- > administrator at LOCAL.MYDOMAIN > stream_terminate_connection: Terminating connection - > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - > NT_STATUS_CONNECTION_DISCONNECTED' > Kerberos: AS-REQ administrator at LOCAL.MYDOMAIN from > ipv4:192.168.1.23:62417 for krbtgt/LOCAL.MYDOMAIN at LOCAL.MYDOMAIN > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > Kerberos: Client sent patypes: encrypted-timestamp, 128 > Kerberos: Looking for PKINIT pa-data -- administrator at LOCAL.MYDOMAIN > Kerberos: Looking for ENC-TS pa-data -- administrator at LOCAL.MYDOMAIN > Kerberos: ENC-TS Pre-authentication succeeded -- > administrator at LOCAL.MYDOMAIN using arcfour-hmac-md5 > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user > [(null)]\[administrator at LOCAL.MYDOMAIN] at [Thu, 01 Oct 2020 > 17:54:36.401984 CEST] with [arcfour-hmac-md5] status [NT_STATUS_OK] > workstation [(null)] remote host [ipv4:192.168.1.23:62417] became > [local]\[Administrator] > [S-1-5-21-2718981395-2814295682-4030710678-500]. local host [NULL] > {"timestamp": "2020-10-01T17:54:36.402248+0200", "type": > "Authentication", "Authentication": {"version": {"major": 1, "minor": > 2}, "eventId": 4624, "logonId": "28970a9c6c2edc2a", "logonType": 3, > "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": > "ipv4:192.168.1.23:62417", "serviceDescription": "Kerberos KDC", > "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, > "clientAccount": "administrator at LOCAL.MYDOMAIN", "workstation": null, > "becameAccount": "Administrator", "becameDomain": "local", > "becameSid": "S-1-5-21-2718981395-2814295682-4030710678-500", > "mappedAccount": "Administrator", "mappedDomain": "local", > "netlogonComputer": null, "netlogonTrustAccount": null, > "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": > 0, "netlogonTrustAccountSid": null, "passwordType": > "arcfour-hmac-md5", "duration": 7783}} > authsam_account_ok: Checking SMB password for user > administrator at LOCAL.MYDOMAIN > logon_hours_ok: No hours restrictions for user > administrator at LOCAL.MYDOMAIN > lastLogonTimestamp is 132456356073698900 > sync interval is 14 > randomised sync interval is 12 (-2) > old timestamp is 132456356073698900, threshold 132450044764030630, > diff 6311309668270 > DSDB Change [Modify] at [Thu, 01 Oct 2020 17:54:36.406688 CEST] status > [Success] remote host [Unknown] SID [S-1-5-18] DN > [CN=Administrator,CN=Users,DC=local,DC=MYDOMAIN] attributes [replace: > lastLogon [132460412764030630] replace: logonCount [19748]] > {"timestamp": "2020-10-01T17:54:36.406926+0200", "type": "dsdbChange", > "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, > "status": "Success", "operation": "Modify", "remoteAddress": null, > "performedAsSystem": false, "userSid": "S-1-5-18", "dn": > "CN=Administrator,CN=Users,DC=local,DC=MYDOMAIN", "transactionId": > "e1cf2141-8bf3-4100-bec6-d5be17915e3b", "sessionId": > "2a7c4038-b378-4335-a7ad-81a8d8999bf4", "attributes": {"lastLogon": > {"actions": [{"action": "replace", "values": [{"value": > "132460412764030630"}]}]}, "logonCount": {"actions": [{"action": > "replace", "values": [{"value": "19748"}]}]}}}} > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > Kerberos: AS-REQ authtime: 2020-10-01T17:54:36 starttime: unset > endtime: 2020-10-02T03:54:36 renew till: 2020-10-08T17:54:36 > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using > arcfour-hmac-md5/arcfour-hmac-md5 > Kerberos: Requested flags: renewable-ok, canonicalize, renewable, > forwardable > stream_terminate_connection: Terminating connection - > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - > NT_STATUS_CONNECTION_DISCONNECTED' > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > Kerberos: TGS-REQ Administrator at LOCAL.MYDOMAIN from > ipv4:192.168.1.23:62418 for > host/vr083023.LOCAL.MYDOMAIN at LOCAL.MYDOMAIN [canonicalize, renewable, > forwardable] > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > Kerberos: TGS-REQ authtime: 2020-10-01T17:54:36 starttime: > 2020-10-01T17:54:36 endtime: 2020-10-02T03:54:36 renew till: > 2020-10-08T17:54:36 > stream_terminate_connection: Terminating connection - > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - > NT_STATUS_CONNECTION_DISCONNECTED'
Ive seen something simular here. Does this happen if you try to connect to a PC where you already are logged in. If yes, logout, test again. If no, reboot the pc and test again. What is the exact message you see. (optinal PM me the print screen) I do/did get some 0x... Message when trying to login on first attempt. The second always worked for me. And lookup the windows events. Or are we talking here about RDP on linux workstations? ;-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > karel de macil via samba > Verzonden: vrijdag 2 oktober 2020 13:25 > Aan: karel.de.macil at free.fr > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Failed auth attempt i don't understand. > > Le 01/10/2020 19:09, karel de macil via samba a ?crit?: > > Hi all, > > > > when i try to authenticate against my AD (rdesktop authentication) i > > got a wrong password/logname message despite my logname and password > > being exact , in the log i have the following . > > > > Nothing wrong for me. > > > > with more test this happened with both physical or network > connection on > WINDOWS 10 BUT with windows 7 all still work fluently. If > this ring any > bells > to anyone. > > > the only strange thing being the : stream_terminate_connection: > > Terminating connection - 'kdc_tcp_call_loop: > > tstream_read_pdu_blob_recv() - > NT_STATUS_CONNECTION_DISCONNECTED' line > > in perticular the second one because just after things seems to > > continue with the : > > > > Kerberos: TGS-REQ Administrator at LOCAL.MYDOMAIN from > > ipv4:192.168.1.23:62418 for > > host/vr083023.LOCAL.MYDOMAIN at LOCAL.MYDOMAIN [canonicalize, > renewable, > > forwardable] > > > > line. > > > > Can anyone with more knowledge than me have an eye on the > log and tell > > me if he see anything wrong ? > > > > and by the way ,under debian bullseye i can't seems to find > anyway to > > get the full log of samba. > > despite this line : > > log level = 6; > > in my conf i can' seems to obtain the same level of log i > get by doing > > : > > > > samba -i -d 6 --debug-stderr > > > > if anyone know why, and how i can get my log to this level without > > launching my samba in interractive mode , i'm very interested. > > > > best regards > > > > Kerberos: AS-REQ administrator at LOCAL.MYDOMAIN from > > ipv4:192.168.1.23:62416 for krbtgt/LOCAL.MYDOMAIN at LOCAL.MYDOMAIN > > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > > Kerberos: Client sent patypes: 128 > > Kerberos: Looking for PKINIT pa-data -- administrator at LOCAL.MYDOMAIN > > Kerberos: Looking for ENC-TS pa-data -- administrator at LOCAL.MYDOMAIN > > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- > > administrator at LOCAL.MYDOMAIN > > stream_terminate_connection: Terminating connection - > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - > > NT_STATUS_CONNECTION_DISCONNECTED' > > Kerberos: AS-REQ administrator at LOCAL.MYDOMAIN from > > ipv4:192.168.1.23:62417 for krbtgt/LOCAL.MYDOMAIN at LOCAL.MYDOMAIN > > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > > Kerberos: Client sent patypes: encrypted-timestamp, 128 > > Kerberos: Looking for PKINIT pa-data -- administrator at LOCAL.MYDOMAIN > > Kerberos: Looking for ENC-TS pa-data -- administrator at LOCAL.MYDOMAIN > > Kerberos: ENC-TS Pre-authentication succeeded -- > > administrator at LOCAL.MYDOMAIN using arcfour-hmac-md5 > > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user > > [(null)]\[administrator at LOCAL.MYDOMAIN] at [Thu, 01 Oct 2020 > > 17:54:36.401984 CEST] with [arcfour-hmac-md5] status [NT_STATUS_OK] > > workstation [(null)] remote host [ipv4:192.168.1.23:62417] became > > [local]\[Administrator] > > [S-1-5-21-2718981395-2814295682-4030710678-500]. local host [NULL] > > {"timestamp": "2020-10-01T17:54:36.402248+0200", "type": > > "Authentication", "Authentication": {"version": {"major": > 1, "minor": > > 2}, "eventId": 4624, "logonId": "28970a9c6c2edc2a", "logonType": 3, > > "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": > > "ipv4:192.168.1.23:62417", "serviceDescription": "Kerberos KDC", > > "authDescription": "ENC-TS Pre-authentication", > "clientDomain": null, > > "clientAccount": "administrator at LOCAL.MYDOMAIN", > "workstation": null, > > "becameAccount": "Administrator", "becameDomain": "local", > > "becameSid": "S-1-5-21-2718981395-2814295682-4030710678-500", > > "mappedAccount": "Administrator", "mappedDomain": "local", > > "netlogonComputer": null, "netlogonTrustAccount": null, > > "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": > > 0, "netlogonTrustAccountSid": null, "passwordType": > > "arcfour-hmac-md5", "duration": 7783}} > > authsam_account_ok: Checking SMB password for user > > administrator at LOCAL.MYDOMAIN > > logon_hours_ok: No hours restrictions for user > > administrator at LOCAL.MYDOMAIN > > lastLogonTimestamp is 132456356073698900 > > sync interval is 14 > > randomised sync interval is 12 (-2) > > old timestamp is 132456356073698900, threshold 132450044764030630, > > diff 6311309668270 > > DSDB Change [Modify] at [Thu, 01 Oct 2020 17:54:36.406688 > CEST] status > > [Success] remote host [Unknown] SID [S-1-5-18] DN > > [CN=Administrator,CN=Users,DC=local,DC=MYDOMAIN] attributes > [replace: > > lastLogon [132460412764030630] replace: logonCount [19748]] > > {"timestamp": "2020-10-01T17:54:36.406926+0200", "type": > "dsdbChange", > > "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, > > "status": "Success", "operation": "Modify", "remoteAddress": null, > > "performedAsSystem": false, "userSid": "S-1-5-18", "dn": > > "CN=Administrator,CN=Users,DC=local,DC=MYDOMAIN", "transactionId": > > "e1cf2141-8bf3-4100-bec6-d5be17915e3b", "sessionId": > > "2a7c4038-b378-4335-a7ad-81a8d8999bf4", "attributes": {"lastLogon": > > {"actions": [{"action": "replace", "values": [{"value": > > "132460412764030630"}]}]}, "logonCount": {"actions": [{"action": > > "replace", "values": [{"value": "19748"}]}]}}}} > > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > > Kerberos: AS-REQ authtime: 2020-10-01T17:54:36 starttime: unset > > endtime: 2020-10-02T03:54:36 renew till: 2020-10-08T17:54:36 > > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, > > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using > > arcfour-hmac-md5/arcfour-hmac-md5 > > Kerberos: Requested flags: renewable-ok, canonicalize, renewable, > > forwardable > > stream_terminate_connection: Terminating connection - > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - > > NT_STATUS_CONNECTION_DISCONNECTED' > > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > > Kerberos: TGS-REQ Administrator at LOCAL.MYDOMAIN from > > ipv4:192.168.1.23:62418 for > > host/vr083023.LOCAL.MYDOMAIN at LOCAL.MYDOMAIN [canonicalize, > renewable, > > forwardable] > > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 > > Kerberos: TGS-REQ authtime: 2020-10-01T17:54:36 starttime: > > 2020-10-01T17:54:36 endtime: 2020-10-02T03:54:36 renew till: > > 2020-10-08T17:54:36 > > stream_terminate_connection: Terminating connection - > > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - > > NT_STATUS_CONNECTION_DISCONNECTED' > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
karel.de.macil at free.fr
2020-Oct-02 12:51 UTC
[Samba] Failed auth attempt i don't understand.
Le 02/10/2020 13:58, L.P.H. van Belle via samba a ?crit?:> Ive seen something simular here. > > Does this happen if you try to connect to a PC where you already are > logged in. > If yes, logout, test again. > If no, reboot the pc and test again.Just have done it. And it Work... Hours spend on this one. May-be bound to the fact that the fsmo have change recently> What is the exact message you see. > (optinal PM me the print screen) > I do/did get some 0x... Message when trying to login on first attempt. > The second always worked for me. > > And lookup the windows events. > Or are we talking here about RDP on linux workstations? ;-) > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> karel de macil via samba >> Verzonden: vrijdag 2 oktober 2020 13:25 >> Aan: karel.de.macil at free.fr >> CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] Failed auth attempt i don't understand. >> >> Le 01/10/2020 19:09, karel de macil via samba a ?crit?: >> > Hi all, >> > >> > when i try to authenticate against my AD (rdesktop authentication) i >> > got a wrong password/logname message despite my logname and password >> > being exact , in the log i have the following . >> > >> > Nothing wrong for me. >> > >> >> with more test this happened with both physical or network >> connection on >> WINDOWS 10 BUT with windows 7 all still work fluently. If >> this ring any >> bells >> to anyone. >> >> > the only strange thing being the : stream_terminate_connection: >> > Terminating connection - 'kdc_tcp_call_loop: >> > tstream_read_pdu_blob_recv() - >> NT_STATUS_CONNECTION_DISCONNECTED' line >> > in perticular the second one because just after things seems to >> > continue with the : >> > >> > Kerberos: TGS-REQ Administrator at LOCAL.MYDOMAIN from >> > ipv4:192.168.1.23:62418 for >> > host/vr083023.LOCAL.MYDOMAIN at LOCAL.MYDOMAIN [canonicalize, >> renewable, >> > forwardable] >> > >> > line. >> > >> > Can anyone with more knowledge than me have an eye on the >> log and tell >> > me if he see anything wrong ? >> > >> > and by the way ,under debian bullseye i can't seems to find >> anyway to >> > get the full log of samba. >> > despite this line : >> > log level = 6; >> > in my conf i can' seems to obtain the same level of log i >> get by doing >> > : >> > >> > samba -i -d 6 --debug-stderr >> > >> > if anyone know why, and how i can get my log to this level without >> > launching my samba in interractive mode , i'm very interested. >> > >> > best regards >> > >> > Kerberos: AS-REQ administrator at LOCAL.MYDOMAIN from >> > ipv4:192.168.1.23:62416 for krbtgt/LOCAL.MYDOMAIN at LOCAL.MYDOMAIN >> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 >> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 >> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 >> > Kerberos: Client sent patypes: 128 >> > Kerberos: Looking for PKINIT pa-data -- administrator at LOCAL.MYDOMAIN >> > Kerberos: Looking for ENC-TS pa-data -- administrator at LOCAL.MYDOMAIN >> > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- >> > administrator at LOCAL.MYDOMAIN >> > stream_terminate_connection: Terminating connection - >> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - >> > NT_STATUS_CONNECTION_DISCONNECTED' >> > Kerberos: AS-REQ administrator at LOCAL.MYDOMAIN from >> > ipv4:192.168.1.23:62417 for krbtgt/LOCAL.MYDOMAIN at LOCAL.MYDOMAIN >> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 >> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 >> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 >> > Kerberos: Client sent patypes: encrypted-timestamp, 128 >> > Kerberos: Looking for PKINIT pa-data -- administrator at LOCAL.MYDOMAIN >> > Kerberos: Looking for ENC-TS pa-data -- administrator at LOCAL.MYDOMAIN >> > Kerberos: ENC-TS Pre-authentication succeeded -- >> > administrator at LOCAL.MYDOMAIN using arcfour-hmac-md5 >> > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user >> > [(null)]\[administrator at LOCAL.MYDOMAIN] at [Thu, 01 Oct 2020 >> > 17:54:36.401984 CEST] with [arcfour-hmac-md5] status [NT_STATUS_OK] >> > workstation [(null)] remote host [ipv4:192.168.1.23:62417] became >> > [local]\[Administrator] >> > [S-1-5-21-2718981395-2814295682-4030710678-500]. local host [NULL] >> > {"timestamp": "2020-10-01T17:54:36.402248+0200", "type": >> > "Authentication", "Authentication": {"version": {"major": >> 1, "minor": >> > 2}, "eventId": 4624, "logonId": "28970a9c6c2edc2a", "logonType": 3, >> > "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": >> > "ipv4:192.168.1.23:62417", "serviceDescription": "Kerberos KDC", >> > "authDescription": "ENC-TS Pre-authentication", >> "clientDomain": null, >> > "clientAccount": "administrator at LOCAL.MYDOMAIN", >> "workstation": null, >> > "becameAccount": "Administrator", "becameDomain": "local", >> > "becameSid": "S-1-5-21-2718981395-2814295682-4030710678-500", >> > "mappedAccount": "Administrator", "mappedDomain": "local", >> > "netlogonComputer": null, "netlogonTrustAccount": null, >> > "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": >> > 0, "netlogonTrustAccountSid": null, "passwordType": >> > "arcfour-hmac-md5", "duration": 7783}} >> > authsam_account_ok: Checking SMB password for user >> > administrator at LOCAL.MYDOMAIN >> > logon_hours_ok: No hours restrictions for user >> > administrator at LOCAL.MYDOMAIN >> > lastLogonTimestamp is 132456356073698900 >> > sync interval is 14 >> > randomised sync interval is 12 (-2) >> > old timestamp is 132456356073698900, threshold 132450044764030630, >> > diff 6311309668270 >> > DSDB Change [Modify] at [Thu, 01 Oct 2020 17:54:36.406688 >> CEST] status >> > [Success] remote host [Unknown] SID [S-1-5-18] DN >> > [CN=Administrator,CN=Users,DC=local,DC=MYDOMAIN] attributes >> [replace: >> > lastLogon [132460412764030630] replace: logonCount [19748]] >> > {"timestamp": "2020-10-01T17:54:36.406926+0200", "type": >> "dsdbChange", >> > "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, >> > "status": "Success", "operation": "Modify", "remoteAddress": null, >> > "performedAsSystem": false, "userSid": "S-1-5-18", "dn": >> > "CN=Administrator,CN=Users,DC=local,DC=MYDOMAIN", "transactionId": >> > "e1cf2141-8bf3-4100-bec6-d5be17915e3b", "sessionId": >> > "2a7c4038-b378-4335-a7ad-81a8d8999bf4", "attributes": {"lastLogon": >> > {"actions": [{"action": "replace", "values": [{"value": >> > "132460412764030630"}]}]}, "logonCount": {"actions": [{"action": >> > "replace", "values": [{"value": "19748"}]}]}}}} >> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 >> > Kerberos: AS-REQ authtime: 2020-10-01T17:54:36 starttime: unset >> > endtime: 2020-10-02T03:54:36 renew till: 2020-10-08T17:54:36 >> > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, >> > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using >> > arcfour-hmac-md5/arcfour-hmac-md5 >> > Kerberos: Requested flags: renewable-ok, canonicalize, renewable, >> > forwardable >> > stream_terminate_connection: Terminating connection - >> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - >> > NT_STATUS_CONNECTION_DISCONNECTED' >> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 >> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 >> > Kerberos: TGS-REQ Administrator at LOCAL.MYDOMAIN from >> > ipv4:192.168.1.23:62418 for >> > host/vr083023.LOCAL.MYDOMAIN at LOCAL.MYDOMAIN [canonicalize, >> renewable, >> > forwardable] >> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 >> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 >> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 >> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1 >> > Kerberos: TGS-REQ authtime: 2020-10-01T17:54:36 starttime: >> > 2020-10-01T17:54:36 endtime: 2020-10-02T03:54:36 renew till: >> > 2020-10-08T17:54:36 >> > stream_terminate_connection: Terminating connection - >> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - >> > NT_STATUS_CONNECTION_DISCONNECTED' >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >>
Possibly Parallel Threads
- Failed auth attempt i don't understand.
- AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
- AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
- AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging
- AD replication problem "WERR_DS_DRA_ACCESS_DENIED" - need help debugging