[Samba] Intermittent Authentication Errors

Andrew Bartlett abartlet at samba.org
Wed Sep 19 17:41:50 UTC 2018

On Tue, 2018-09-18 at 12:19 -0500, Matthew Delfino via samba wrote:
> Hello Samba People,
> We have a Kerio Connect (email) server using Samba 4.8.5 as it’s
> directory service (3 AD DCs). We’ve been using this setup for about 3
> years now.
> Over the last several months, we’ve been trying to find out why Samba
> starts rejecting attempts that the Kerio Connect mail server makes to
> authenticate our users. The errors in Kerio look like this:
> Authentication failed for user joe.schmoe at domain.com. Attempt from IP
> address External authentication service rejected
> authentication due to invalid password or authentication restriction.
> This will repeat about 40 times for 40 different users over the
> course of, say 5 minutes or as long as 20 minutes (in which case, it
> might affect all 130 users). Then, it just stops.
> Now, this could be Kerio’s fault. So, I’m exploring all my options. A
> Kerio Connect server sends a lot of authentication requests per
> minute - like, sometimes 100 to 140. But I was wondering if anyone
> knows of any configuration settings I might be able to tweak on my
> DCs to make them more welcoming of rapid authentication requests?

What I would do is try and work out what the error is on the Samba
side, turning up the logs and using the JSON auditing feature to get
good, machine-parsable data.

Then line up the failing authentications with the logs and try to work
out a pattern.  Is the LDAP server falling over due to out of memory
for example, or is the server swapping?

Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list