[Samba] auth_audit log event for disabled user
Andrew Bartlett
abartlet at samba.org
Tue Oct 17 03:38:45 UTC 2017
On Tue, 2017-09-26 at 12:39 -0400, lingpanda101 via samba wrote:
> Hello,
>
> I recently upgrade Samba to 4.7.0 and enabled the
> Authentication
> and Authorization audit support. One of the first events I see is
> from a
> disabled user account.
>
> [2017/09/26 12:24:17.894767, 3, pid=1257, effective(0, 0), real(0,
> 0)]
> ../auth/auth_log.c:760(log_authentication_event_human_readable)
> Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> [(null)]\[bdiley at DOMAIN.LOCAL] at [Tue, 26 Sep 2017 12:24:17.894746
> EDT]
> with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation
> [(null)] remote host [ipv4:172.16.24.20:52728] became
> [DOMAIN]\[bdiley]
> [S-1-5-21-940051827-2291820289-3341758437-1188]. local host [NULL]
>
> First what does "Pre-authentication" refer to and second why don't I
> see
> a failed log event for this user? I disabled the account via.
> Microsoft
> RSAT. Thanks.
Sorry for the delay in replying.
The issue is that Heimdal, acting as Samba's KDC, checks the password
before the disabled account status, and we don't log the later denial.
We are looking to reverse the order of these checks to match what
Windows does, and have written some patches for this that will be
posted shortly.
Sorry,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list