Rowland Penny rpenny at samba.org
Sat Jan 19 19:03:58 UTC 2019

On Sat, 19 Jan 2019 13:37:18 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:

> I sure could use some help on this.  Perhaps this problem is due to a
> recent Windows update?
> I have determined that whenever I log into the Windows 7 host
> DBSERVER from any other Windows 7 computer, whether it be a local
> domain workstation or an external computer, and regarless of whether
> the client workstation is logged in as 'mark' or any other user, I
> have the lockout problem.
> As soon as I log into Windows 7 host dbserver as the domain
> administrator I immediately see series 10 to 15 of the following
> log.samba messages:
>   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> [(null)]\[mark at HPRS] at [Sat, 19 Jan 2019 12:18:27.881822 EST] with
> [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation
> [(null)] remote host [ipv4:] mapped to
> [HPRS]\[mark]. local host [NULL] 
> Then, if I try to log into ANY domain member as user 'mark' I cannot
> and the log.samba has:
>   auth_check_password_recv: sam authentication for user [HPRS\mark]
> FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT, authoritative=1 Auth:
> [SamLogon,network] user [HPRS]\[mark] at [Sat, 19 Jan 2019
> 12:28:06.590937 EST] with [NTLMv2] status
> [NT_STATUS_ACCOUNT_LOCKED_OUT] workstation [WIN7VM] remote host
> [ipv4:] mapped to [HPRS]\[mark]. local host
> [ipv4:]  NETLOGON computer [DBSERVER] trust account
> The administrator user does not map any drives or otherwise seem to
> run anything as user 'mark'.
> I cannot figure out why something is trying to login/connect as user
> 'mark' with an invalid password even when logging in as the
> administrator, not 'mark'. 
> Furthermore, when I do actually log into this computer as 'mark' and
> enter the correct PW, it works fine, no Auth errors. 
> Could someone point me in the right direction for research? 
> --Mark

If this is only happening with one PC, then you need to check that PC.
It looks like something is trying to do something it probably
shouldn't, I take it you have a run a deep virus scan ?


More information about the samba mailing list