[Samba] bad password lockout on 4.2.4

mourik jan heupink heupink at merit.unu.edu
Thu Sep 24 13:38:08 UTC 2015


For the same user I'm also seeing, in the DC logs:

> ntlm_password_check: Interactive logon: NT password check failed for user inraek

Would the above always be a windows domain worskstation logon?

MJ

On 09/24/2015 03:00 PM, mourik jan heupink wrote:
> Yes, I found out what DC. I need to know what is causing the failed
> authentication attemps, it could be:
>
> - windows workstation logons
> - dovecot
> - sogo
> - postfix
> - remote file access
> - any apache ldap authentication
> - any of the online intranet sites
> - you name it, it's all linked to our AD
>
> If I knew what IP address the attempted bind came from, I'd know where
> to start looking...
>
> On 09/24/2015 02:52 PM, James wrote:
>> On 9/24/2015 8:41 AM, mourik jan heupink wrote:
>>> Hi James,
>>>
>>>> I find this tool handy if using a Windows based machine.
>>>>
>>>> http://www.microsoft.com/en-us/download/details.aspx?id=15201
>>>>
>>>> Account Lockout Status (LockoutStatus.exe) is a combination
>>>> command-line
>>>> and graphical tool that displays lockout information about a particular
>>>> user account.
>>>>
>>> Thanks for the tip, and I'll take a look, but judging from the link,
>>> this tool would not tell me WHERE the failed authentication attempts
>>> came from, right?
>>>
>>> Shouldn't there be an easy way to get this kind of info?
>>>
>> It should tell you the DC it came from. Do you need the the workstation?
>>
>



More information about the samba mailing list