[Samba] Account lockout

Al Slater al.slater at scluk.com
Tue Jun 30 08:36:15 MDT 2015 

Hi,

I have just upgraded our Samba 4.1 AD servers to 4.2.2.  Our AD was 
previously run on win2k3 and had configuration for account lockout after 
3 bad passwords.  This lockout obviously did not work after migration to 4.1

After the upgrade to 4.2.2 the lockout started working again, almost as 
expected.

The current settings are

Password complexity: on
Store plaintext passwords: off
Password history length: 20
Minimum password length: 8
Minimum password age (days): 1
Maximum password age (days): 90
Account lockout duration (mins): 30
Account lockout threshold (attempts): 3
Reset account lockout after (mins): 30


When testing the account lockout, it seemed that it only took 2 bad 
passwords to lock the account where it should be 3.

When I traced log.samba while attempting login with a bad password, it 
appears that when I press enter after entering a bad password, 2 
attempts are made at checking it.  The second time I enter a bad 
password, the account is locked.

<grep aslate log.samba>
   Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65414 for 
krbtgt/DOMAIN at DOMAIN
   Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN
   Kerberos: Looking for ENC-TS pa-data -- aslate at DOMAIN
   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- aslate at DOMAIN
   Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65415 for 
krbtgt/DOMAIN at DOMAIN
   Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN
   Kerberos: Looking for ENC-TS pa-data -- aslate at DOMAIN
   Kerberos: ENC-TS Pre-authentication succeeded -- aslate at DOMAIN using 
aes256-cts-hmac-sha1-96
   Kerberos: TGS-REQ aslate at DOMAIN.SCLUK.COM from 
ipv4:123.123.123.50:65416 for 
host/aslate-v.DOMAIN.scluk.com at DOMAIN.SCLUK.COM [canonicalize, 
renewable, forwardable]
   Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65418 for 
krbtgt/DOMAIN at DOMAIN
   Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN
   Kerberos: Looking for ENC-TS pa-data -- aslate at DOMAIN
   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- aslate at DOMAIN
   Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65419 for 
krbtgt/DOMAIN at DOMAIN
   Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN
   Kerberos: Looking for ENC-TS pa-data -- aslate at DOMAIN
   Kerberos: Failed to decrypt PA-DATA -- aslate at DOMAIN (enctype 
aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for 
checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
   Kerberos: Failed to decrypt PA-DATA -- aslate at DOMAIN
   Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65420 for 
krbtgt/DOMAIN at DOMAIN
   Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN
   Kerberos: Looking for ENC-TS pa-data -- aslate at DOMAIN
   Kerberos: Failed to decrypt PA-DATA -- aslate at DOMAIN (enctype 
aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for 
checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
   Kerberos: Failed to decrypt PA-DATA -- aslate at DOMAIN
   Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65438 for 
krbtgt/DOMAIN at DOMAIN
   Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN
   Kerberos: Looking for ENC-TS pa-data -- aslate at DOMAIN
   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- aslate at DOMAIN
   Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65439 for 
krbtgt/DOMAIN at DOMAIN
   Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN
   Kerberos: Looking for ENC-TS pa-data -- aslate at DOMAIN
   Kerberos: Failed to decrypt PA-DATA -- aslate at DOMAIN (enctype 
aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for 
checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
   Kerberos: Failed to decrypt PA-DATA -- aslate at DOMAIN
   Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65440 for 
krbtgt/DOMAIN at DOMAIN
   Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN
   Kerberos: Client (aslate at DOMAIN) is locked out
</grep>


The client machine is running win7 and is fully up to date with patches.

Does anyone have any idea why this is happening?  Do we have an odd 
windows setting or is samba not handling this correctly?


-- 
Al Slater

Technical Director
SCL

More information about the samba mailing list