[Samba] log.samba: ntlm_password_check: Interactive logon: NT password check failed for user username
lists at merit.unu.edu
Wed Jul 19 13:53:23 UTC 2017
On 07/19/2017 12:13 AM, Andrew Bartlett via samba wrote:
>> Is there a way with samba 4.6 to find out more details about these kinds
>> of failed passwords:
>>> ./log.samba: auth_check_password_recv: sam_ignoredomain authentication for user [DOMAIN\username] FAILED with error NT_STATUS_WRONG_PASSWORD
>>> ./log.samba: auth_check_password_send: Checking password for unmapped user [DOMAIN]\[username]@[(null)]
>>> ./log.samba: auth_check_password_send: mapped user is: [DOMAIN]\[username]@[(null)]
>>> ./log.samba: ntlm_password_check: Interactive logon: NT password check failed for user username
> I think it certainly could be LDAP. In 4.6, the code converts a
> plaintext auth from LDAP into an 'interactive' auth.
Turns out: yes, it's over LDAP, and it's a botnet trying out various
passwords against our imap server.
> 4.7 will give you the detail you need to work out what is really going
> on, implement fail2ban etc. In the meantime, all I can suggest is
> turning up the logs and trying to stick it back together, but I realise
> that isn't very satisfactory.
Nope, it's not, but we read the 4.7 announcement, and we are very happy
to see improvements on the way :-)
Thanks for the reply Andrew!
More information about the samba