[Samba] auth_audit log event for disabled user

lingpanda101 lingpanda101 at gmail.com
Tue Sep 26 16:39:39 UTC 2017


     I recently upgrade Samba to 4.7.0 and enabled the Authentication 
and Authorization audit support. One of the first events I see is from a 
disabled user account.

[2017/09/26 12:24:17.894767,  3, pid=1257, effective(0, 0), real(0, 0)] 
   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user 
[(null)]\[bdiley at DOMAIN.LOCAL] at [Tue, 26 Sep 2017 12:24:17.894746 EDT] 
with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation 
[(null)] remote host [ipv4:] became [DOMAIN]\[bdiley] 
[S-1-5-21-940051827-2291820289-3341758437-1188]. local host [NULL]

First what does "Pre-authentication" refer to and second why don't I see 
a failed log event for this user? I disabled the account via. Microsoft 
RSAT. Thanks.


More information about the samba mailing list