[Samba] NT_STATUS_ACCOUNT_LOCKED_OUT

Mark Foley mfoley at ohprs.org
Sat Jan 19 21:26:21 UTC 2019


On Sun, 20 Jan 2019 08:06:26 +1300 Andrew Bartlett wrote:
>
> On Sat, 2019-01-19 at 13:37 -0500, Mark Foley via samba wrote:
> > I sure could use some help on this.  Perhaps this problem is due to a
> > recent Windows update?
>> > Furthermore, when I do actually log into this computer as 'mark' and
> > enter the correct PW, it
> > works fine, no Auth errors. 
> > 
> > Could someone point me in the right direction for research? 
>
> Turn up the Samba log level further so you get the Kerberos: messages
> from the internal Heimdal KDC.  That may help us see what is going
> wrong.
>
> Andrew Bartlett
> -- 

Andrew, added kerberos:10 to samba Log Level. Got the following:


[2019/01/19 16:12:48.582972,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ mark at HPRS from ipv4:192.168.0.4:63581 for krbtgt/HPRS at HPRS

[2019/01/19 16:12:48.584099,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128

[2019/01/19 16:12:48.584109,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- mark at HPRS

[2019/01/19 16:12:48.584113,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client (mark at HPRS) is locked out

I've not seen the syntax mark at OHPRS before.  Is this legit? Normally, I see HPRS\mark where
HPRS is the domain (hprs.local) and mark is the user. 

Does this provide some clues? Is something messed up with my kerberos settings?

--Mark



More information about the samba mailing list