[Samba] Account lockouts caused by SAMBA + WinBind do not report "Caller Computer Name" in security audit
Andrew Bartlett
abartlet at samba.org
Mon Apr 9 18:42:25 UTC 2018
On Mon, 2018-04-09 at 17:49 +0000, Eric Wheeler via samba wrote:
> Hello all,
>
> We are troubleshooting an issue that when SAMBA is joined to a Windows
> domain controller as a member server that has password failure lockouts
> configured, the Windows security auditing does not show the "Caller
> Computer Name" in the event ID generated (4740).
>
> We are using Samba 4.6.2 from CentOS 7. We posted a Bugzilla at Red Hat
> here: https://bugzilla.redhat.com/show_bug.cgi?id=1563425
>
> The Bugzilla request contains images showing the security audit issue.
>
> Does anyone know what might cause this?
You clarified on the bug that this is when using Kerberos. The name
used is either from the FAST wrapper (not supported by Samba) or most
likely the netbios host name given as an additional, un-authenticated
'client address'.
Sadly using FAST hasn't yet been implemented in winbindd but the code
looks like it sends the netbios name.
A network trace comparing your two cases (presuming you have seen
windows fill this in for Kerberos) would show the difference and
suggest what would need to be implemented.
I hope this helps,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list