[Samba] Re: NTLM Problems
Ian Barnes
ian at opteqint.net
Wed Nov 2 07:30:30 GMT 2005
Seems the attachment was removed, my bad.
Here is a copy paste of it.
Log 1
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 2005/10/31
Time: 11:40:34 AM
User: D_ABSA\svc-058-OPTEQ
Computer: S058DS1025002
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: SVC-058-OPTEQ
Source Workstation: CONT
Error Code: 0x0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Log 2
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 2005/10/31
Time: 11:40:34 AM
User: D_ABSA\svc-058-OPTEQ
Computer: S058DS1025002
Description:
Successful Network Logon:
User Name: svc-058-OPTEQ
Domain: D_ABSA
Logon ID: (0x0,0x4BD7994)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: CONT
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.199.12.50
Source Port: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Log 3
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 2005/10/31
Time: 11:40:34 AM
User: D_ABSA\svc-058-OPTEQ
Computer: S058DS1025002
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: CN=Server,CN=System,DC=ds1,DC=ad,DC=absa,DC=co,DC=za
Handle ID: 104898856
Operation ID: {0,79526330}
Process ID: 544
Process Name: C:\WINDOWS\system32\lsass.exe
Primary User Name: S058DS1025002$
Primary Domain: D_ABSA
Primary Logon ID: (0x0,0x3E7)
Client User Name: svc-058-OPTEQ
Client Domain: D_ABSA
Client Logon ID: (0x0,0x4BD7994)
Accesses: READ_CONTROL
InitializeServer
EnumerateDomains
Undefined Access (no effect) Bit 7
Privileges: -
Properties:
---
samServer
Access Mask: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Log 4
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 2005/10/31
Time: 11:40:34 AM
User: D_ABSA\svc-058-OPTEQ
Computer: S058DS1025002
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_DOMAIN
Object Name: DC=ds1,DC=ad,DC=absa,DC=co,DC=za
Handle ID: 104901400
Operation ID: {0,79526337}
Process ID: 544
Process Name: C:\WINDOWS\system32\lsass.exe
Primary User Name: S058DS1025002$
Primary Domain: D_ABSA
Primary Logon ID: (0x0,0x3E7)
Client User Name: svc-058-OPTEQ
Client Domain: D_ABSA
Client Logon ID: (0x0,0x4BD7994)
Accesses: READ_CONTROL
ReadOtherParameters
CreateUser
GetLocalGroupMembership
Privileges: -
Properties:
---
domain
READ_CONTROL
ReadOtherParameters
CreateUser
GetLocalGroupMembership
Domain Password & Lockout Policies
lockOutObservationWindow
lockoutDuration
lockoutThreshold
maxPwdAge
minPwdAge
minPwdLength
pwdHistoryLength
pwdProperties
Other Domain Parameters (for use by SAM)
serverState
serverRole
modifiedCount
uASCompat
forceLogoff
domainReplica
oEMInformation
Domain Administer Server
Access Mask: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Log 5
Event Type: Failure Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 577
Date: 2005/10/31
Time: 11:40:34 AM
User: D_ABSA\svc-058-OPTEQ
Computer: S058DS1025002
Description:
Privileged Service Called:
Server: Security Account Manager
Service: Security Account Manager
Primary User Name: S058DS1025002$
Primary Domain: D_ABSA
Primary Logon ID: (0x0,0x3E7)
Client User Name: svc-058-OPTEQ
Client Domain: D_ABSA
Client Logon ID: (0x0,0x4BD7994)
Privileges: SeMachineAccountPrivilege
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Log 6
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 2005/10/31
Time: 11:40:34 AM
User: D_ABSA\svc-058-OPTEQ
Computer: S058DS1025002
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_USER
Object Name: S-1-5-21-114451664-1017779763-1228766249-154890
Handle ID: 104900128
Operation ID: {0,79526354}
Process ID: 544
Process Name: C:\WINDOWS\system32\lsass.exe
Primary User Name: S058DS1025002$
Primary Domain: D_ABSA
Primary Logon ID: (0x0,0x3E7)
Client User Name: svc-058-OPTEQ
Client Domain: D_ABSA
Client Logon ID: (0x0,0x4BD7994)
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ReadGeneralInformation
ReadPreferences
WritePreferences
ReadLogon
ReadAccount
WriteAccount
ChangePassword (with knowledge of old password)
SetPassword (without knowledge of old password)
ListGroups
Privileges: -
Properties:
---
user
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ReadGeneralInformation
ReadPreferences
WritePreferences
ReadLogon
ReadAccount
WriteAccount
ChangePassword (with knowledge of old password)
SetPassword (without knowledge of old password)
ListGroups
General Information
codePage
countryCode
objectSid
primaryGroupID
sAMAccountName
comment
displayName
Account Restrictions
accountExpires
pwdLastSet
userAccountControl
userParameters
Logon Information
badPwdCount
homeDirectory
homeDrive
lastLogoff
lastLogon
logonCount
logonHours
logonWorkstation
profilePath
scriptPath
Public Information
description
Group Membership
memberOf
Change Password
Reset Password
%{7ed84960-ad10-11d0-8a92-00aa006e0529}
Access Mask: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Log 7
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 628
Date: 2005/10/31
Time: 11:40:34 AM
User: D_ABSA\svc-058-OPTEQ
Computer: S058DS1025002
Description:
User Account password set:
Target Account Name: cont$
Target Domain: D_ABSA
Target Account ID: D_ABSA\cont$
Caller User Name: svc-058-OPTEQ
Caller Domain: D_ABSA
Caller Logon ID: (0x0,0x4BD7994)
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Log 8
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 2005/10/31
Time: 11:40:34 AM
User: D_ABSA\svc-058-OPTEQ
Computer: S058DS1025002
Description:
Handle Closed:
Object Server: Security Account Manager
Handle ID: 104900128
Process ID: 544
Image File Name: C:\WINDOWS\system32\lsass.exe
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Log 9
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 2005/10/31
Time: 11:40:34 AM
User: D_ABSA\svc-058-OPTEQ
Computer: S058DS1025002
Description:
User Logoff:
User Name: svc-058-OPTEQ
Domain: D_ABSA
Logon ID: (0x0,0x4BD7994)
Logon Type: 3
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----Original Message-----
From: samba-bounces+ian=opteqint.net at lists.samba.org
[mailto:samba-bounces+ian=opteqint.net at lists.samba.org] On Behalf Of Ian
Barnes
Sent: 02 November 2005 09:28 AM
To: 'Andrew Bartlett'
Cc: samba at lists.samba.org
Subject: RE: [Samba] Re: NTLM Problems
Hi,
Even if the client doesn't support Kerberos should I leave that option
enabled in smb.conf?
Attached are the log files, maybe they can help.
Cheers
Ian
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: 02 November 2005 07:03 AM
To: Ian Barnes
Cc: samba at lists.samba.org
Subject: RE: [Samba] Re: NTLM Problems
On Wed, 2005-11-02 at 06:54 +0200, Ian Barnes wrote:
> Okay, ill remove the realm line if its not in use. I only fill it in if im
> using Kerberos? Or should it be filled in at all times?
You should be using kerberos. I strongly suggest running
'security=ads'.
> Any idea as to why I could be "falling out" of the domain? Its strange and
> only seems to be our unit that is doing this. All other machines that log
> onto the domain don't have this problem.
See if there are clues in the DC-side event log.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
More information about the samba
mailing list