[Samba] Windows user domain accounts getting locked out regularly
Rick Warner
rick at microway.com
Mon Feb 12 21:21:06 UTC 2018
Hi All,
We have a mixed environment running with Windows and Linux with samba as
the domain controller. Smart card login is configured and working
properly with pkinit and certs, etc
(https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login) though I
don't think this is related.
A handful of Windows clients are regularly getting their accounts locked
during what seems to be a kerberos ticket renewal. The lockout setting
is currently at 25 attempts. In the logs (debug level cranked up to 5)
I see 25 successive wrong password attempts in the course of a few
seconds culminating in a lock out:
[2018/02/12 15:32:52.383900, 2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[exampleuser at MICROWAY] at [Mon, 12 Feb 2018 15:32:52.383881
EST] with [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD]
workstation [(null)] remote host [ipv4:192.168.200.17:50205] mapped to
[MICROWAY]\[exampleuser]. local host [NULL]
[2018/02/12 15:32:52.383948, 0]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to decrypt PA-DATA -- exampleuser at MICROWAY
[2018/02/12 15:32:52.384618, 3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2018/02/12 15:32:52.384687, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2018/02/12 15:32:52.419400, 0]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ exampleuser at MICROWAY from ipv4:192.168.200.17:50207
for krbtgt/MICROWAY at MICROWAY
[2018/02/12 15:32:52.422687, 0]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 128
[2018/02/12 15:32:52.422765, 5]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- exampleuser at MICROWAY
[2018/02/12 15:32:52.422799, 5]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- exampleuser at MICROWAY
[2018/02/12 15:32:52.422837, 5]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to decrypt PA-DATA -- exampleuser at MICROWAY (enctype
arcfour-hmac-md5) error Decrypt integrity check failed
[2018/02/12 15:32:52.423074, 5]
../source4/dsdb/common/util.c:5355(dsdb_update_bad_pwd_count)
Updated badPwdCount on CN=exampleuser,CN=Users,DC=microway,DC=local
after 24 wrong passwords
[2018/02/12 15:32:52.426895, 2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[exampleuser at MICROWAY] at [Mon, 12 Feb 2018 15:32:52.426870
EST] with [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD]
workstation [(null)] remote host [ipv4:192.168.200.17:50207] mapped to
[MICROWAY]\[exampleuser]. local host [NULL]
[2018/02/12 15:32:52.426929, 0]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to decrypt PA-DATA -- exampleuser at MICROWAY
[2018/02/12 15:32:52.427465, 3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2018/02/12 15:32:52.427522, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2018/02/12 15:32:52.446440, 0]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ exampleuser at MICROWAY from ipv4:192.168.200.17:50209
for krbtgt/MICROWAY at MICROWAY
[2018/02/12 15:32:52.449611, 0]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 128
[2018/02/12 15:32:52.449678, 5]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- exampleuser at MICROWAY
[2018/02/12 15:32:52.449699, 5]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- exampleuser at MICROWAY
[2018/02/12 15:32:52.449738, 5]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to decrypt PA-DATA -- exampleuser at MICROWAY (enctype
arcfour-hmac-md5) error Decrypt integrity check failed
[2018/02/12 15:32:52.449976, 5]
../source4/dsdb/common/util.c:5352(dsdb_update_bad_pwd_count)
Locked out user CN=exampleuser,CN=Users,DC=microway,DC=local after 25
wrong passwords
This lock out occured at 15:32. The 3 previous lockouts were at 11:32,
7:32, 00:32. They seem to occur at a roughly whole number of hours
since the last lockout, ranging from about 3 to about 9. This is why I
think it's related to kerberos ticket renewal.
I've enabled kerberos LSA debugging on the offending clients but have
not seen anything meaningful in them. I also enabled verbose netlogon
debugging on a client and that did not reveal anything either.
I tried doing a "klist purge" on one of the offending clients but the
problem returned.
Where should I be looking next to resolve this?
Thanks,
Rick Warner
More information about the samba
mailing list