[Samba] Sernet 4.3.X package is no longer free :/
mourik jan heupink
heupink at merit.unu.edu
Thu Oct 8 12:35:20 UTC 2015
Hi Mark, list,
On 10/08/2015 05:29 AM, Mark Foley wrote:
> Maurik,
>
> You are right. I am currently using 4.1.17 and have the same failed login
> messages as you describe. There is, however, a bit more information further down
> in the logfile:
>
> [2015/10/07 16:51:24.076283, 2] authentication for user [HPRS/Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD
> auth_check_password_send: Checking password for unmapped user [HPRS]\[Administrator]@[ROVER]
>
> This latter string (with no timestamp, making it hard to find/correlate) does
> give the hostname of the offending computer, but not the IP. Yes, the IP would
> be very useful. In this case ROVER is my personal laptop, but all it gives me is
> the hostname. The IP would indicate if the miscreant was connecting from inside the
> domain (probably OK), or outside the domain (probably very bad). An IP would
> also give us a clue as to which IP[range] to firewall if needed.
>
> --Mark
Yes, agreed. However, for many of the failed logins I see
[username]@[(null)]
I'm guessing that a (null) hostname basically means that it was an ldap
authentication attempt, and not a regular windows pc logon. (interactive
logon, as microsoft seems to call it)
It would be nice if this kind of (in my opinion) vital info could be
logged in more useful way/format. Would not even be much work I guess,
but unfortunately I have no programming skills at all. :-(
Mourik Jan
More information about the samba
mailing list