[Samba] bad password lockout on 4.2.4

mourik jan heupink heupink at merit.unu.edu
Thu Sep 24 11:55:43 UTC 2015


I have increased the log level and I'm currently seeing this in the DC logs:

> [2015/09/24 13:51:35.185811,  3] ../source4/auth/ntlm/auth.c:270(auth_check_password_send)
>   auth_check_password_send: Checking password for unmapped user [DOMAIN\inraek]@[(null)]
>   auth_check_password_send: mapped user is: [DOMAIN\inraek]@[(null)]
> [2015/09/24 13:51:35.186969,  3] ../libcli/auth/ntlm_check.c:236(hash_password_check)
>   ntlm_password_check: Interactive logon: NT password check failed for user inraek
> [2015/09/24 13:51:35.187233,  2] ../source4/auth/ntlm/auth.c:429(auth_check_password_recv)
>   auth_check_password_recv: sam_ignoredomain authentication for user [DOMAIN\inraek] FAILED with error NT_STATUS_WRONG_PASSWORD

However... this is loglevel 10, and I still do not see WHERE this auth 
request comes FROM. What IP.

Anyone some ideas?

MJ


On 09/24/2015 10:11 AM, mourik jan heupink wrote:
> In the logs I can find lines like:
>
>> auth_check_password_recv: sam_ignoredomain authentication for user
>> [DOMAIN\inraek] FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT
>
> But there are no lines indicating failed authentication attempts. I'm
> trying to find out WHY the account is locked.
>
> On 09/24/2015 09:03 AM, mourik jan heupink wrote:
>> Hi,
>>
>> Since two days, we upgraded from 4.1.17 to 4.2.4 (sernet, thanks!)
>> everything went well, and we have now implemented the bad password
>> lockout settings.
>>
>> We have some users now that complained twice that they cannot logon,
>> and indeed: their account was locked, unlocking did the job.
>>
>> But the question is: how can I find out more about the bad passwords
>>  that were provided? Thinks like at what time, from what ip address,
>> etc, etc.
>>
>> I can't find much in the DC's logs, though I guess that is where to
>> look..? Is a certain minimum log level required perhaps?
>>
>> We have three dc's, one (separate) fileserver, one mail, and some
>> other services, all authenticating to our three dc's, so I guess
>> those dc's would be the place to look...
>>
>> Thanks in advance, MJ
>>
>



More information about the samba mailing list