[Samba] auth audit log question

[mj]

Hi,

Since samba 4.7 I have setup auth logging, and while I can relate most 
failed passwords to users mistyping a password, there is one kind that I 
don't understand, happening across our samba-DCs.

Things work without issues, but I'm just being curious. :-)

> [2017/11/23 04:47:32.166753,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
>   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017 04:47:32.166711 CET] with [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:1.2.3.30:62827] mapped to [WRKGRP]\[P002556$]. local host [NULL] 
> [2017/11/23 04:47:32.170564,  3] ../auth/auth_log.c:760(log_authentication_event_human_readable)
>   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017 04:47:32.170557 CET] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:1.2.3.30:62828] became [WRKGRP]\[P002556$] [S-1-5-21-90834550-981288634-869225949-132733]. local host [NULL] 

First NT_STATUS_WRONG_PASSWORD, immediately followed by NT_STATUS_OK for 
the same workstation.

We can domain-logon onto the workstation, I can open AD shares including 
\\samba-dc2, \\member_server, etc. All without problem. So the domain 
password / join appears to be correct.

P002556$@SAMBA.COMPANY.COM is running windows server 2008 Enterprise, SP2.

Could anyone think of other reasons why the above error could come up on 
the DC logs?

MJ