[Samba] User accounts being blocked
James Crouch
jcrouch at decisionanalyst.com
Fri Aug 19 19:13:34 UTC 2016
Are you using the "samba-tool domain passwordsettings" command to set the
lockout policy, or are you using group policy?
-James Crouch
On Aug 19, 2016 2:03 PM, "Ricardo Pardim Claus" <ricardo.claus at yahoo.com.br>
wrote:
>
>
> Dear James,
> Thanks for the input.
>
> Even increasing from 5 to 10, the amount of times to miss the password and
> lock the account (after changing, I wheeled a gpupdate / force), if you
> miss 3 times the account is locked.
>
> I changed smb.conf log level to 9.
> I tried to unlock the account using the samba-tool command line, but
> without success, because I can only unlock using the RSAT.
> I get these messages:
>
> # Samba-user tool enable erico
> INFO: Current debug levels:
> all: 9
> tdb: 9
> printdrivers: 9
> lanman: 9
> smb: 9
> rpc_parse: 9
> rpc_srv: 9
> rpc_cli: 9
> passdb: 9
> sam: 9
> auth: 9
> winbind: 9
> vfs: 9
> idmap: 9
> share: 9
> acls: 9
> locking: 9
> msdfs: 9
> DMAPI: 9
> Registry: 9
> Scavenger: 9
> dns: 9
> ldb: 9
> tevent: 9
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process () returned Yes
> Module 'tombstone_reanimate' is disabled. Skip registration.ldb_wrap open
> of secrets.ldb
> lpcfg_servicenumber: could not find ldb
> schema_fsmo_init: we are master [yes] updates allowed [in]
> schema_fsmo_init: we are master [yes] updates allowed [in]
> Enabled user 'erico'
>
>
> In "tail -f /var/log/samba/%m.log" I see these lines:
>
>
> [2016/08/19 15:13:27.681166, 4] ../source4/dsdb/samdb/ldb_
> modules/repl_meta_data.c:5397(replmd_extended_replicated_objects)
> linked_attributes_count=0
> [2016/08/19 15:13:27.681922, 6] ../source4/dsdb/samdb/ldb_
> modules/repl_meta_data.c:759(replmd_replPropertyMetaDataCtr1_sort_
> and_verify)
> Sorting rpmd with attid exception 3 rDN=CN DN=CN=Erico Joao Santos
> Velter,OU=TI-INFRA,OU=domain,DC=domain,DC=local
> [2016/08/19 15:13:27.682003, 4] ../source4/dsdb/samdb/ldb_
> modules/repl_meta_data.c:4694(replmd_replicated_apply_merge)
> [2016/08/19 15:13:27.683095, 4] ../source4/dsdb/samdb/ldb_
> modules/repl_meta_data.c:4696(replmd_replicated_apply_merge)
> DRS replication modify message:
> dn: CN=Erico Joao Santos Velter,OU=TI-INFRA,OU=domain,DC=domain,DC=local
> changetype: modify
> replace: whenChanged
> whenChanged: 20160819181321.0Z
> -
> replace: uSNChanged
> uSNChanged: 14351
> -
> replace: replPropertyMetaData
> replPropertyMetaData:: AQAAAAAAAAAeAAAAAAAAAAAAAAABAA
> AAO+eADAMAAAA0cRFe3a15QqY
> Pt3C2QPfI/zQAAAAAAAAbEAAAAAAAAAQAAAABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI
> /zQA
> AAAAAAAbEAAAAAAAACoAAAABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI
> /zQAAAAAAAAbEAAAA
> AAAAAEAAgABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI
> /zQAAAAAAAAbEAAAAAAAAAIAAgABAA
> AAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI/zQAAAAAAAAbEAAAAAAAAA0AAgABAAA
> AO+eADAMAAAA
> 0cRFe3a15QqYPt3C2QPfI/zQAAAAAAAAbEAAAAAAAABkBAgACAAA
> ADZiEDAMAAAA0cRFe3a15QqYP
> t3C2QPfIBmIAAAAAAAAbEAAAAAAAAAEACQARAAAAUpjCDQMAAADj+
> 0WJUrcbT71MPVMCZ7NQLSIAA
> AAAAAAtIgAAAAAAAAgACQAFAAAAv2WpDQMAAABGCTrnfBiVS4Sau+
> xkyjfDtVIBAAAAAAAbEAAAAA
> AAABAACQABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI
> ADUAAAAAAAAbEAAAAAAAABkACQABAAA
> AO+eADAMAAAA0cRFe3a15QqYPt3C2QPfIADUAAAAAAAAbEAAAAAAAADcACQAQAA
> AAt2WpDQMAAABG
> CTrnfBiVS4Sau+xkyjfDs1IBAAAAAAAbEAAAAAAAAEAACQABAAAAO+
> eADAMAAAA0cRFe3a15QqYPt
> 3C2QPfIADUAAAAAAAAbEAAAAAAAAFoACQAQAAAAt2WpDQMAAABGCTrnfBiVS
> 4Sau+xkyjfDs1IBAA
> AAAAAbEAAAAAAAAF4ACQAQAAAAt2WpDQMAAABGCTrnfBiVS4Sau+
> xkyjfDs1IBAAAAAAAbEAAAAAA
> AAGAACQAVAAAAt2WpDQMAAABGCTrnfBiVS4Sau+xkyjfDs1IBAAAAAAAbEAAAAAAAAGIA
> CQAEAAAA
> 5TmEDQMAAADGBIYQJPnHTpP0rJHpn8MYrrwAAAAAAAAbEAAAAAAAAH0ACQAP
> AAAAt2WpDQMAAABGC
> TrnfBiVS4Sau+xkyjfDtFIBAAAAAAAbEAAAAAAAAJIACQABAAAAO+
> eADAMAAAA0cRFe3a15QqYPt3
> C2QPfI/zQAAAAAAAAbEAAAAAAAAJYACQABAAAADZiEDAMAAAA0cRFe3a15QqYPt3C2Q
> PfIBmIAAAA
> AAAAbEAAAAAAAAJ8ACQABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI
> ADUAAAAAAAAbEAAAAAAA
> AKAACQAQAAAAt2WpDQMAAABGCTrnfBiVS4Sau+xkyjfDs1IBAAAAAAAbEAAAAAAAAN0A
> CQABAAAAO
> +eADAMAAAA0cRFe3a15QqYPt3C2QPfI/zQAAAAAAAAbEAAAAAAAAC4BCQABAAA
> AO+eADAMAAAA0cR
> Fe3a15QqYPt3C2QPfI/zQAAAAAAAAbEAAAAAAAAJACCQABAAA
> AO+eADAMAAAA0cRFe3a15QqYPt3C
> 2QPfI/zQAAAAAAAAbEAAAAAAAAJYCCQAjAAAAQd3HDQMAAADUBnA1JNVVRYN4On+
> wEF1BuSMAAAAA
> AAAPOAAAAAAAAA4DCQABAAAAO+eADAMAAAA0cRFe3a15QqYPt3C2QPfI
> /zQAAAAAAAAbEAAAAAAAA
> KAGCQAXAAAA9wvFDQMAAADj+0WJUrcbT71MPVMCZ7NQPiwAAAAAAAA
> +LAAAAAAAAKsHCQABAAAAv2
> WpDQMAAABGCTrnfBiVS4Sau+xkyjfDtVIBAAAAAAAbEAAAAAAAAAMA
> AAANAAAApnSyDQMAAABGCTr
> nfBiVS4Sau+xkyjfDkLgBAAAAAABxEwAAAAAAAA==
> -
> replace: lockoutTime
> lockoutTime: 131161040016926080
> -
>
>
> [2016/08/19 15:13:27.687552, 4] ../source4/dsdb/samdb/ldb_
> modules/repl_meta_data.c:5231(replmd_replicated_uptodate_modify)
> DRS replication uptodate modify message:
> dn: DC=domain,DC=local
> changetype: modify
> replace: replUpToDateVector
> replUpToDateVector:: AgAAAAAAAAALAAAAAAAAAMYEhhAk+
> cdOk/SskemfwxjtXgIAAAAAAPW0l
> g0DAAAAl8bFE0zNXEGg22QMX6cWu9IvAAAAAAAAAIA+1d6xnQHUBnA1JNVVRYN4On+
> wEF1BuSMAAA
> AAAAAAgD7V3rGdAQ4crjuNcRJNp8XYZYxANVMxEwAAAAAAAACAPtXesZ0BNH
> ERXt2teUKmD7dwtkD
> 3yAMzBwAAAAAABUiADQMAAAB5CTJ76gkgQZ/R3EKh722VgBMAAAAAAAAAgD7V3rGdA
> SU0K4OwPo5J
> hZeJgfvJkr/vEgAAAAAAAACAPtXesZ0BLNuomXXda0+AaGlWssQYqBsTAAAAAAAAAIA+
> 1d6xnQEZJ
> DHD3GZdSJo5+MrbBGDCorgBAAAAAABl7p8NAwAAAMT1D+Gifk5LjnVt/
> upuUAYGEwAAAAAAAACAPt
> XesZ0BRgk653wYlUuEmrvsZMo3wyAxAwAAAAAA9Jy/DQMAAAA=
> -
> replace: repsFrom
> repsFrom:: AQAAAAAAAAAPAQAAAAAAAEfdxw0DAAAAR93HDQMAAAAAAAAA0AAAAD8AAAB0
> AAAAERE
> RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
> RERERERERERERERER
> ERERERERERERERERERERERERERERERERAAAAALkjAAAAAAAAAAAAAAAAAAC5
> IwAAAAAAAOwZCRo0s
> CtDqb1rc6O7bG3UBnA1JNVVRYN4On+wEF1BAAAAAAAAAAAAAAAAAAAAADsAA
> AAxYTA5MTllYy1iMD
> M0LTQzMmItYTliZC02YjczYTNiYjZjNmQuX21zZGNzLmxvamFjb3JyLmxvY2FsAA==
> -
>
>
> [2016/08/19 15:13:27.694897, 2] ../source4/dsdb/repl/
> replicated_objects.c:1008(dsdb_replicated_objects_commit)
> Replicated 1 objects (0 linked attributes) for DC=domain,DC=local
> [2016/08/19 15:13:27.816480, 6] ../librpc/rpc/dcerpc_util.c:
> 173(dcerpc_pull_auth_trailer)
> ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 12
> [2016/08/19 15:13:27.816608, 4] ../source4/dsdb/repl/drepl_
> out_helpers.c:918(dreplsrv_update_refs_done)
> UpdateRefs OK for f192ce0f-92cf-4511-b1bb-71b0fbc2f39c._msdcs.domain.local
> DC=domain,DC=local
> [2016/08/19 15:13:27.816632, 4] ../source4/dsdb/repl/drepl_
> out_pull.c:178(dreplsrv_pending_op_callback)
> dreplsrv_op_pull_source(WERR_OK) for DC=domain,DC=local
> [2016/08/19 15:13:30.360979, 4] ../source4/dsdb/repl/drepl_
> notify.c:463(dreplsrv_notify_schedule)
> dreplsrv_notify_schedule(5) scheduled for: Fri Aug 19 15:13:35 2016 BRT
> [2016/08/19 15:13:32.271240, 5] ../source4/libcli/dgram/
> dgramsocket.c:65(dgm_socket_recv)
> Received dgram packet of length 201 from 172.16.16.137:138
> [2016/08/19 15:13:32.271406, 4] ../source4/nbt_server/dgram/
> browse.c:70(nbtd_mailslot_browse_handler)
> Browse HostAnnouncement (Op 1) on 'domain<1d>' '\MAILSLOT\BROWSE' from
> 172.16.16.137:138
> [2016/08/19 15:13:32.271453, 5] ../source4/libcli/dgram/
> dgramsocket.c:65(dgm_socket_recv)
> Received dgram packet of length 201 from 172.16.16.137:138
> [2016/08/19 15:13:32.271484, 4] ../source4/nbt_server/dgram/
> browse.c:70(nbtd_mailslot_browse_handler)
> Browse HostAnnouncement (Op 1) on 'domain<1d>' '\MAILSLOT\BROWSE' from
> 172.16.16.137:138
> [2016/08/19 15:13:35.368264, 4] ../source4/dsdb/repl/drepl_
> notify.c:463(dreplsrv_notify_schedule)
> dreplsrv_notify_schedule(5) scheduled for: Fri Aug 19 15:13:40 2016 BRT
>
>
>
> ________________________________
> > De: James Crouch
> > Ricardo,
>
> > I am very sure this is a bug that has a fix in the 4.5rc version of
> Samba. I am not having any luck finding the bug page for this though though.
>
> > You can increase the log levels to 4 (I think) or greater to see what is
> happening. I set my log level to 10 when I investigated this, but that
> generates a huge amount of info to shift > through.
>
> > From what I understand, after attempting to authenticate on a Windows
> workstation the workstation sends a authentication request to the Samba
> server. Windows then expects a certain reply > from the Samba server. If
> Windows does not see the reply it wants, then the workstation sends the
> request again. If there was a bad password entered during authentication
> request, then Samba would see multiple bad password attempts coming from
> the workstation and would lock the account out after it reaches the lockout
> threshold.
>
> >I wanted a lockout threshold of 3 on my systems, so I ended up setting
> this to 6 since it seems to increase the bad password count by 2 on average
> for each bad password attempt on my >systems. I have seen it increase the
> bad password count by up to 4 for a single bad password attempt though.
> >Thanks,
> >-James Crouch
>
More information about the samba
mailing list