On Wed, 10 Sep 2025 12:25:40 +0200 Luis Peromarta via samba <samba at lists.samba.org> wrote:> Dear all. > > I have a setup where user accounts are blocked after three failed > login attempts. One user is reporting that they are not entering the > wrong password, so I suspect that someone else might be trying to > access their account. > > Where can I investigate or follow up on these failed logins in order > to trace the source of the problem? > > Thank you very much, > > LPHas the users password been changed recently ? If it has, then it could be something like an email client still trying to use the old password, I would still check for this even if the password hasn't been changed recently, it could be something that has been restarted by accident. Otherwise, you will need to turn up the log level on the DCs to see what, if anything, pops out in the logs. Rowland
On 10 Sep 2025 at 12:56 +0200, samba at lists.samba.org <samba at lists.samba.org>, wrote:> > Otherwise, you will need to turn up the log level on the DCs to see > what, if anything, pops out in the logs.I think this is the way. What log level should I increase and would they log per user ? Any links that may help ?
Hi, To add, check: /var/log/auth.log / kernelog / samba logs in /var/log/samba [Debian] SH On 10/09/2025 13.56, Rowland Penny via samba wrote:> On Wed, 10 Sep 2025 12:25:40 +0200 > Luis Peromarta via samba <samba at lists.samba.org> wrote: > >> Dear all. >> >> I have a setup where user accounts are blocked after three failed >> login attempts. One user is reporting that they are not entering the >> wrong password, so I suspect that someone else might be trying to >> access their account. >> >> Where can I investigate or follow up on these failed logins in order >> to trace the source of the problem? >> >> Thank you very much, >> >> LP > Has the users password been changed recently ? > If it has, then it could be something like an email client still trying > to use the old password, I would still check for this even if the > password hasn't been changed recently, it could be something that has > been restarted by accident. > > Otherwise, you will need to turn up the log level on the DCs to see > what, if anything, pops out in the logs. > > Rowland > >-- Sami Hulkko +358 45 8569 319 sahulkko at gmail.com sahulkko at icloud.com