[Samba] Workstation authentication and authorization failed event

lingpanda101 lingpanda101 at gmail.com
Tue Mar 6 17:31:38 UTC 2018


     I've recently enabled authentication logging and it's been working well. Today I see a failure for a workstation.

Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[pc-45 at DOMAIN.LOCAL] at [Tue, 06 Mar 2018 11:42:15.767915 EST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:] mapped to [DOMAIN]\[PC-45]. local host [NULL]

In the past this was due to replication failure on a DC. However I'm not sure how to interpret this log. I would expect to see something like PC-45$@DOMAIN.LOCAL. Without the dollar sign it looks as if someone attempted to sign in locally with the username 'PC-45'. I'm in the early stages of investigation but am I correct in this thought process? Thanks.


More information about the samba mailing list