[Samba] Sudden authentication failures, hex dumps in log.samba

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Fri May 10 05:04:34 MDT 2013 

In a leap of faith, I decided to relax the iptables rules on our Samba
DC (4.0.5) on Wednesday, permitting some of our production clients to
actually authenticate against it (in addition to our W2k3R2 DC). After
all, there are no replication errors and no errors either in log.samba
or Windows event log, so things _should've_ been generally working, and
various test clients also have had no problems.

To limit the fallout of potential failures I chose to do this on the eve
of the Ascension Day (a public holiday where I live), knowing that
almost all people would be off work on the following day, and that many
people would also be having an extra day off today.

Alas, things didn't go entirely smoothly. One person, who had came to
work on Thursday afternoon despite the holiday, complained to me that he
was having login problems (wrong username or password) and that only
after first (successfully) logging on to a different workstation he, on
a second attempt, managed to log on to his normal workstation. He also
said that these problems had been repeated this morning.

Given this information, I investigated log.samba and found the following:

[2013/05/09 12:39:57,  0] ../lib/util/util.c:457(dump_data)
  [0000] 00 00 00 00 62 00 00 00   00 00 00 00 20 00 20 00   ....b...
.... . .
  [0010] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0020] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0030] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0040] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0050] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  .
. . .
  [0060] 20 00 20 00 20 00 20 00   20 00 20 00 50 00 00      . . . .  . .P..

That hexdump with exactly the same contents was repeated 10 times
yesterday afternoon and another 31 times this morning. The times of the
dumps roughly matched the times of the logon failures.

Question: how much more verbosity for log.samba would be needed to
further investigate this problem? I'd rather not log everything with
"-d10" for extended periods of time, because I really can't know how
long it will take for the problem to reappear. I've now increased
logging from the default level to "-d3".

I also wish to turn on Kerberos logging in Samba so that I could have
something akin to Windows's security log and see all successful and
failed login attempts. Can this be achieved by normal krb5 logging
settings in krb5.conf (as described on man 3 krb5_openlog)? Any
recommended logging settings?


Pekka L.J. Jalkanen

More information about the samba mailing list