[Samba] auth_audit log event for disabled user

Andrew Bartlett abartlet at samba.org
Tue Oct 17 03:38:45 UTC 2017

On Tue, 2017-09-26 at 12:39 -0400, lingpanda101 via samba wrote:
> Hello,
>      I recently upgrade Samba to 4.7.0 and enabled the
> Authentication 
> and Authorization audit support. One of the first events I see is
> from a 
> disabled user account.
> [2017/09/26 12:24:17.894767,  3, pid=1257, effective(0, 0), real(0,
> 0)] 
> ../auth/auth_log.c:760(log_authentication_event_human_readable)
>    Auth: [Kerberos KDC,ENC-TS Pre-authentication] user 
> [(null)]\[bdiley at DOMAIN.LOCAL] at [Tue, 26 Sep 2017 12:24:17.894746
> EDT] 
> with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation 
> [(null)] remote host [ipv4:] became
> [DOMAIN]\[bdiley] 
> [S-1-5-21-940051827-2291820289-3341758437-1188]. local host [NULL]
> First what does "Pre-authentication" refer to and second why don't I
> see 
> a failed log event for this user? I disabled the account via.
> Microsoft 
> RSAT. Thanks.

Sorry for the delay in replying.

The issue is that Heimdal, acting as Samba's KDC, checks the password
before the disabled account status, and we don't log the later denial. 

We are looking to reverse the order of these checks to match what
Windows does, and have written some patches for this that will be
posted shortly. 


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the samba mailing list