[Samba] bad password lockout on 4.2.4

James lingpanda101 at gmail.com
Thu Sep 24 13:40:04 UTC 2015


On 9/24/2015 9:00 AM, mourik jan heupink wrote:
> Yes, I found out what DC. I need to know what is causing the failed
> authentication attemps, it could be:
>
> - windows workstation logons
> - dovecot
> - sogo
> - postfix
> - remote file access
> - any apache ldap authentication
> - any of the online intranet sites
> - you name it, it's all linked to our AD
>
> If I knew what IP address the attempted bind came from, I'd know where
> to start looking...
>
> On 09/24/2015 02:52 PM, James wrote:
>> On 9/24/2015 8:41 AM, mourik jan heupink wrote:
>>> Hi James,
>>>
>>>> I find this tool handy if using a Windows based machine.
>>>>
>>>> http://www.microsoft.com/en-us/download/details.aspx?id=15201
>>>>
>>>> Account Lockout Status (LockoutStatus.exe) is a combination
>>>> command-line
>>>> and graphical tool that displays lockout information about a
>>>> particular
>>>> user account.
>>>>
>>> Thanks for the tip, and I'll take a look, but judging from the link,
>>> this tool would not tell me WHERE the failed authentication attempts
>>> came from, right?
>>>
>>> Shouldn't there be an easy way to get this kind of info?
>>>
>> It should tell you the DC it came from. Do you need the the workstation?
>>
>
Another option is to have these events forwarded to a Syslog. I have
enabled a few workstations through GPO to process 'Audit account logon
events'. When a user enters a bad password or username. The event is
triggered and sent to the syslog.

I did the above because of the exact issue you are facing. I was unable
to easily find these events by grepping the samba log files.

-- 
-James





More information about the samba mailing list