[Samba] possible to deactivate pre-authentification on the Linux (or windows)- Please help

Rob Townley rob.townley at gmail.com
Tue Mar 15 18:44:55 MDT 2011 

On Wed, Mar 9, 2011 at 12:33 AM, Sharik M <sharikonline at yahoo.com> wrote:
> Dear Friend,
>
>
> Is it possible to deactivate pre-authentification on the Linux (or
>
> Windows) side to avoid these messages ?
>
> Becouse i am getting lot of erro in windows 2003 domain.
>
> Hi,
>
> When validating users on my Linux system against an ActiveDirectory,
> the Windows event log are filled with messages like these (Windows
> Event ID 675):
>
> Pre-authentication failed:
> User Name: linux$
> User ID: KK\linux$
> Service Name: krbtgt/KK.LOCAL
> Pre-Authentication Type: 0x0
> Failure Code: 0x19
> Client Address: 1.2.3.4
>
>
> (1.2.3.4 is the IP address of the Linux machine, LINUX the hostname of
> the Linux machine).
>
> The message above comes at every request from the Linux machine (every 5
> minutes on this installation). If I am validating a user, the same
> message is shown for the user like this (user name validated=test):
>
> Pre-authentication failed:
> User Name: test$
> User ID: KK\test$
> Service Name: krbtgt/KK.LOCAL
> Pre-Authentication Type: 0x0
> Failure Code: 0x19
> Client Address: 1.2.3.4
>
> Messages logged on behalf of a user may be disabled by deactivating
> pre-authentification for each user. But I cannot find any place in
> ActiveDirectory to disable it for the machine account.
>
> What is missing ?
>
> Is it possible to deactivate pre-authentification on the Linux (or
> Windows) side to avoid these messages ?
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Although annoying, these are not necessarily all that bad of audit
entries because it may be trying different methods of authenticating.
First one fails so it tries a more difficult one.
i wonder if it would be better to attempt a reset of the machine
account password from AD, then setting DONT_REQ_PREAUTH.

You can change it via adsiedit or adexplorer.exe
DONT_REQ_PREAUTH

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B305144
ms-DS-User-Account-Control-Computed

p.s. i typed this 5 days ago and just found it was not sent.

More information about the samba mailing list