Mark Foley mfoley at ohprs.org
Sun Jan 20 18:58:03 UTC 2019

Ah ha! I believe I've solved this.  I checked the Windows credentials repository.  There was a
'mark' ID and likely an old password stored there.  I deleted that credential, rebooted, and no
more lock out message. 

During the past year, the 'classic' Samba file server was added as a domain member and all
domain member workstations then had to use domain credentials for mapping drives.  As
mentioned, on this particular host I log in as the domain administrator to do things like ADUC. 
Once upon a time it also mapped a share, but since the dom administrator is not a normal domain
user, its credentials didn't work (I posted a thread about that here last year).  So, I mapped
the drive using a normal domain user's credentials.  I've long since NOT mapped that drive and
forgot that I had once done that. 

Recently, the 'mark' password expired and I had to change it.  That's when the trouble started,
which makes sense since the credential repository certainly had the old password. 

What's interesting is that Windows apparently tries to validate the repository credentials when
the admin user logs on even if no mapping is happening.  I guess it does that at login time
just in case. 


-----Original Message-----
Date: Sat, 19 Jan 2019 16:38:29 -0500
To: samba at lists.samba.org
From: Mark Foley via samba <samba at lists.samba.org>

On Sat, 19 Jan 2019 19:03:58 +0000 Rowland Penny wrote:
> On Sat, 19 Jan 2019 13:37:18 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
> > I sure could use some help on this.  Perhaps this problem is due to a
> > recent Windows update?
> > 
> > I have determined that whenever I log into the Windows 7 host
> > DBSERVER from any other Windows 7 computer, whether it be a local
> > domain workstation or an external computer, and regarless of whether
> > the client workstation is logged in as 'mark' or any other user, I
> > have the lockout problem.
> > 
> > As soon as I log into Windows 7 host dbserver as the domain
> > administrator I immediately see series 10 to 15 of the following
> > log.samba messages:
> > 
> >   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> > [(null)]\[mark at HPRS] at [Sat, 19 Jan 2019 12:18:27.881822 EST] with
> > [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation
> > [(null)] remote host [ipv4:] mapped to
> > [HPRS]\[mark]. local host [NULL] 
> > 
> > Then, if I try to log into ANY domain member as user 'mark' I cannot
> > and the log.samba has:
> > 
> >   auth_check_password_recv: sam authentication for user [HPRS\mark]
> > FAILED with error NT_STATUS_ACCOUNT_LOCKED_OUT, authoritative=1 Auth:
> > [SamLogon,network] user [HPRS]\[mark] at [Sat, 19 Jan 2019
> > 12:28:06.590937 EST] with [NTLMv2] status
> > [NT_STATUS_ACCOUNT_LOCKED_OUT] workstation [WIN7VM] remote host
> > [ipv4:] mapped to [HPRS]\[mark]. local host
> > [ipv4:]  NETLOGON computer [DBSERVER] trust account
> > 
> > The administrator user does not map any drives or otherwise seem to
> > run anything as user 'mark'.
> > 
> > I cannot figure out why something is trying to login/connect as user
> > 'mark' with an invalid password even when logging in as the
> > administrator, not 'mark'. 
> > 
> > Furthermore, when I do actually log into this computer as 'mark' and
> > enter the correct PW, it works fine, no Auth errors. 
> > 
> > Could someone point me in the right direction for research? 
> > 
> > --Mark
> > 
> If this is only happening with one PC, then you need to check that PC.
> It looks like something is trying to do something it probably
> shouldn't, I take it you have a run a deep virus scan ?
> Rowland

Yes, this is the only machine it's happening on. I've tried logging into other domain member
workstations as the domain admin, and no such errors/lockout occur.

> It looks like something is trying to do something it probably shouldn't,

Any idea what it could be? This computer has been a Samba4 domain member for about 4 years.  It
is a server, no email, no network attached drives, no normal users log in except for me as the
administrator to occasionally run ADUC and also to occasionalyy run/configure Acronis backup
(which I've now deleted from the system in case that was the problem -- it wasn't); and I log
in as 'mark' to run SQL Server Management Studio.  As mentioned, when I actually log in as
'mark' I have lockout consequences. 

I've sent another response on this to Andrew Bartlett with kerberos logging info.

I have run, and am running now, a virus scan. So far nothing bad found.


(Rowland sorry about the partial message sent to your personal account. The send button got
away from me)

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list