[Samba] Account lockouts caused by SAMBA + WinBind do not report "Caller Computer Name" in security audit

Andrew Bartlett abartlet at samba.org
Mon Apr 9 18:42:25 UTC 2018

On Mon, 2018-04-09 at 17:49 +0000, Eric Wheeler via samba wrote:
> Hello all,
> We are troubleshooting an issue that when SAMBA is joined to a Windows 
> domain controller as a member server that has password failure lockouts 
> configured, the Windows security auditing does not show the "Caller 
> Computer Name" in the event ID generated (4740).
> We are using Samba 4.6.2 from CentOS 7. We posted a Bugzilla at Red Hat 
> here: https://bugzilla.redhat.com/show_bug.cgi?id=1563425
> The Bugzilla request contains images showing the security audit issue.
> Does anyone know what might cause this?

You clarified on the bug that this is when using Kerberos.  The name
used is either from the FAST wrapper (not supported by Samba) or most
likely the netbios host name given as an additional, un-authenticated
'client address'.  

Sadly using FAST hasn't yet been implemented in winbindd but the code
looks like it sends the netbios name.  

A network trace comparing your two cases (presuming you have seen
windows fill this in for Kerberos) would show the difference and
suggest what would need to be implemented.

I hope this helps,

Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list