[Samba] Windows user domain accounts getting locked out regularly

Rick Warner rick at microway.com
Mon Feb 12 21:21:06 UTC 2018 

Hi All,

We have a mixed environment running with Windows and Linux with samba as 
the domain controller.  Smart card login is configured and working 
properly with pkinit and certs, etc 
(https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login) though I 
don't think this is related.

A handful of Windows clients are regularly getting their accounts locked 
during what seems to be a kerberos ticket renewal. The lockout setting 
is currently at 25 attempts.  In the logs (debug level cranked up to 5) 
I see 25 successive wrong password attempts in the course of a few 
seconds culminating in a lock out:

[2018/02/12 15:32:52.383900,  2] 
../auth/auth_log.c:760(log_authentication_event_human_readable)
   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user 
[(null)]\[exampleuser at MICROWAY] at [Mon, 12 Feb 2018 15:32:52.383881 
EST] with [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] 
workstation [(null)] remote host [ipv4:192.168.200.17:50205] mapped to 
[MICROWAY]\[exampleuser]. local host [NULL]
[2018/02/12 15:32:52.383948,  0] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Failed to decrypt PA-DATA -- exampleuser at MICROWAY
[2018/02/12 15:32:52.384618,  3] 
../source4/smbd/service_stream.c:65(stream_terminate_connection)
   Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2018/02/12 15:32:52.384687,  3] 
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2018/02/12 15:32:52.419400,  0] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ exampleuser at MICROWAY from ipv4:192.168.200.17:50207 
for krbtgt/MICROWAY at MICROWAY
[2018/02/12 15:32:52.422687,  0] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client sent patypes: encrypted-timestamp, 128
[2018/02/12 15:32:52.422765,  5] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for PKINIT pa-data -- exampleuser at MICROWAY
[2018/02/12 15:32:52.422799,  5] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for ENC-TS pa-data -- exampleuser at MICROWAY
[2018/02/12 15:32:52.422837,  5] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Failed to decrypt PA-DATA -- exampleuser at MICROWAY (enctype 
arcfour-hmac-md5) error Decrypt integrity check failed
[2018/02/12 15:32:52.423074,  5] 
../source4/dsdb/common/util.c:5355(dsdb_update_bad_pwd_count)
   Updated badPwdCount on CN=exampleuser,CN=Users,DC=microway,DC=local 
after 24 wrong passwords
[2018/02/12 15:32:52.426895,  2] 
../auth/auth_log.c:760(log_authentication_event_human_readable)
   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user 
[(null)]\[exampleuser at MICROWAY] at [Mon, 12 Feb 2018 15:32:52.426870 
EST] with [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] 
workstation [(null)] remote host [ipv4:192.168.200.17:50207] mapped to 
[MICROWAY]\[exampleuser]. local host [NULL]
[2018/02/12 15:32:52.426929,  0] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Failed to decrypt PA-DATA -- exampleuser at MICROWAY
[2018/02/12 15:32:52.427465,  3] 
../source4/smbd/service_stream.c:65(stream_terminate_connection)
   Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2018/02/12 15:32:52.427522,  3] 
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2018/02/12 15:32:52.446440,  0] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ exampleuser at MICROWAY from ipv4:192.168.200.17:50209 
for krbtgt/MICROWAY at MICROWAY
[2018/02/12 15:32:52.449611,  0] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client sent patypes: encrypted-timestamp, 128
[2018/02/12 15:32:52.449678,  5] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for PKINIT pa-data -- exampleuser at MICROWAY
[2018/02/12 15:32:52.449699,  5] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for ENC-TS pa-data -- exampleuser at MICROWAY
[2018/02/12 15:32:52.449738,  5] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Failed to decrypt PA-DATA -- exampleuser at MICROWAY (enctype 
arcfour-hmac-md5) error Decrypt integrity check failed
[2018/02/12 15:32:52.449976,  5] 
../source4/dsdb/common/util.c:5352(dsdb_update_bad_pwd_count)
   Locked out user CN=exampleuser,CN=Users,DC=microway,DC=local after 25 
wrong passwords


This lock out occured at 15:32.   The 3 previous lockouts were at 11:32, 
7:32, 00:32.  They seem to occur at a roughly whole number of hours 
since the last lockout, ranging from about 3 to about 9. This is why I 
think it's related to kerberos ticket renewal.


I've enabled kerberos LSA debugging on the offending clients but have 
not seen anything meaningful in them.  I also enabled verbose netlogon 
debugging on a client and that did not reveal anything either.

I tried doing a "klist purge" on one of the offending clients but the 
problem returned.

Where should I be looking next to resolve this?

Thanks,
Rick Warner

More information about the samba mailing list