[Samba] bad password lockout on 4.2.4
lingpanda101 at gmail.com
Thu Sep 24 13:40:04 UTC 2015
On 9/24/2015 9:00 AM, mourik jan heupink wrote:
> Yes, I found out what DC. I need to know what is causing the failed
> authentication attemps, it could be:
> - windows workstation logons
> - dovecot
> - sogo
> - postfix
> - remote file access
> - any apache ldap authentication
> - any of the online intranet sites
> - you name it, it's all linked to our AD
> If I knew what IP address the attempted bind came from, I'd know where
> to start looking...
> On 09/24/2015 02:52 PM, James wrote:
>> On 9/24/2015 8:41 AM, mourik jan heupink wrote:
>>> Hi James,
>>>> I find this tool handy if using a Windows based machine.
>>>> Account Lockout Status (LockoutStatus.exe) is a combination
>>>> and graphical tool that displays lockout information about a
>>>> user account.
>>> Thanks for the tip, and I'll take a look, but judging from the link,
>>> this tool would not tell me WHERE the failed authentication attempts
>>> came from, right?
>>> Shouldn't there be an easy way to get this kind of info?
>> It should tell you the DC it came from. Do you need the the workstation?
Another option is to have these events forwarded to a Syslog. I have
enabled a few workstations through GPO to process 'Audit account logon
events'. When a user enters a bad password or username. The event is
triggered and sent to the syslog.
I did the above because of the exact issue you are facing. I was unable
to easily find these events by grepping the samba log files.
More information about the samba