[Samba] auth_audit log event for disabled user

lingpanda101 lingpanda101 at gmail.com
Tue Sep 26 16:39:39 UTC 2017


Hello,

     I recently upgrade Samba to 4.7.0 and enabled the Authentication 
and Authorization audit support. One of the first events I see is from a 
disabled user account.

[2017/09/26 12:24:17.894767,  3, pid=1257, effective(0, 0), real(0, 0)] 
../auth/auth_log.c:760(log_authentication_event_human_readable)
   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user 
[(null)]\[bdiley at DOMAIN.LOCAL] at [Tue, 26 Sep 2017 12:24:17.894746 EDT] 
with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation 
[(null)] remote host [ipv4:172.16.24.20:52728] became [DOMAIN]\[bdiley] 
[S-1-5-21-940051827-2291820289-3341758437-1188]. local host [NULL]

First what does "Pre-authentication" refer to and second why don't I see 
a failed log event for this user? I disabled the account via. Microsoft 
RSAT. Thanks.

-- 
--
James




More information about the samba mailing list