[Samba] Winbind generating alot of "Failure Audit" on windows domain controller

Andreas Larsson andreas.larsson at syspartner.se
Tue May 12 12:42:52 GMT 2009 

Hi List,

I'm evaluating the use of samba/winbind to join our linuxhosts into active directory. We use win2k3 R2 with rfc2307 schema fields populated on the server side. For the most part the project is humming along nicely. 

A couple of days ago i noticed that the domaincontrollers get spammed with a lot of messages in the event log. The events look like this:

Failure Audit  - Security - 675

Pre-Authentication failed:
		User Name:			machineaccount$
		User ID:				DOMAIN\machineaccount$
		Service Name:			krgtgt/DOMAIN
		Pre-Authentication type:	0x0
		Failure Code:			0x19
		Client Address:			ipofclient

This message is not fatal in any way, all it means is that the client did not pre-authenticate it self to the domaincontroller. The domaincontroller responds to the client that it needs pre-auth to proceed, the client then supply the pre-auth info. So the "error" in it self is quite harmless, my concern is that its appearing a bit to often. Some clients log this message to the domaincontroller up to 10-20 times a minute, could this indicate that something is broken?

My other concern is that this message will totally flood the logs of the domaincontrollers in the event of a full scale rollout on all linux clients. 

The solution i believe is to always send KRB5_PADATA_ENC_TIMESTAMP as pre-auth when connecting to a Active Directory domain controller. I have searched for a config option to enable this behavior without finding one. I have also searched the source code to see where the connection to the domaincontroller is set up. I have however been unsuccessful in figuring out how i tell sasl to make the connection using pre-auth. 

Unless i have misunderstood my problem i believe this will benefit anyone that integrate their samba machines into Active Directory. 

Other solutions i found via google solve the problem by disabling pre-auth all together. This solution is totally unacceptable from a security point of view.

For reference i have used samba 3.2.5 from debian lenny and samba 3.3.3 from lenny backports to test this. 

Any answers on how to proceed would be appreciated.

Andreas Larsson
SysPartner Consulting AB

More information about the samba mailing list