[Samba] Failed auth attempt i don't understand.

karel.de.macil at free.fr karel.de.macil at free.fr
Thu Oct 1 17:09:36 UTC 2020 

Hi all,

when i try to authenticate against my AD (rdesktop authentication) i got 
a wrong password/logname message despite my logname and password
being exact , in the log i have the following .

Nothing wrong for me.

the only strange thing being the : stream_terminate_connection: 
Terminating connection - 'kdc_tcp_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' line 
in perticular the second one because just after things seems to continue 
with the :

Kerberos: TGS-REQ Administrator at LOCAL.MYDOMAIN from 
ipv4:192.168.1.23:62418 for host/vr083023.LOCAL.MYDOMAIN at LOCAL.MYDOMAIN 
[canonicalize, renewable, forwardable]

line.

Can anyone with more knowledge than me have an eye on the log and tell 
me if he see anything wrong ?

and by the way ,under debian bullseye i can't seems to find anyway to 
get the full log of samba.
despite this line :
log level = 6;
in my conf i can' seems to obtain the same level of log i get by doing :

samba -i -d 6  --debug-stderr

if anyone know why, and how i can get my log to this level without 
launching my samba in interractive mode , i'm very interested.

best regards

Kerberos: AS-REQ administrator at LOCAL.MYDOMAIN from 
ipv4:192.168.1.23:62416 for krbtgt/LOCAL.MYDOMAIN at LOCAL.MYDOMAIN
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
Kerberos: Client sent patypes: 128
Kerberos: Looking for PKINIT pa-data -- administrator at LOCAL.MYDOMAIN
Kerberos: Looking for ENC-TS pa-data -- administrator at LOCAL.MYDOMAIN
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
administrator at LOCAL.MYDOMAIN
stream_terminate_connection: Terminating connection - 
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED'
Kerberos: AS-REQ administrator at LOCAL.MYDOMAIN from 
ipv4:192.168.1.23:62417 for krbtgt/LOCAL.MYDOMAIN at LOCAL.MYDOMAIN
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- administrator at LOCAL.MYDOMAIN
Kerberos: Looking for ENC-TS pa-data -- administrator at LOCAL.MYDOMAIN
Kerberos: ENC-TS Pre-authentication succeeded -- 
administrator at LOCAL.MYDOMAIN using arcfour-hmac-md5
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user 
[(null)]\[administrator at LOCAL.MYDOMAIN] at [Thu, 01 Oct 2020 
17:54:36.401984 CEST] with [arcfour-hmac-md5] status [NT_STATUS_OK] 
workstation [(null)] remote host [ipv4:192.168.1.23:62417] became 
[local]\[Administrator] [S-1-5-21-2718981395-2814295682-4030710678-500]. 
local host [NULL]
{"timestamp": "2020-10-01T17:54:36.402248+0200", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
2}, "eventId": 4624, "logonId": "28970a9c6c2edc2a", "logonType": 3, 
"status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": 
"ipv4:192.168.1.23:62417", "serviceDescription": "Kerberos KDC", 
"authDescription": "ENC-TS Pre-authentication", "clientDomain": null, 
"clientAccount": "administrator at LOCAL.MYDOMAIN", "workstation": null, 
"becameAccount": "Administrator", "becameDomain": "local", "becameSid": 
"S-1-5-21-2718981395-2814295682-4030710678-500", "mappedAccount": 
"Administrator", "mappedDomain": "local", "netlogonComputer": null, 
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", 
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, 
"passwordType": "arcfour-hmac-md5", "duration": 7783}}
authsam_account_ok: Checking SMB password for user 
administrator at LOCAL.MYDOMAIN
logon_hours_ok: No hours restrictions for user 
administrator at LOCAL.MYDOMAIN
lastLogonTimestamp is 132456356073698900
sync interval is 14
randomised sync interval is 12 (-2)
old timestamp is 132456356073698900, threshold 132450044764030630, diff 
6311309668270
DSDB Change [Modify] at [Thu, 01 Oct 2020 17:54:36.406688 CEST] status 
[Success] remote host [Unknown] SID [S-1-5-18] DN 
[CN=Administrator,CN=Users,DC=local,DC=MYDOMAIN] attributes [replace: 
lastLogon [132460412764030630] replace: logonCount [19748]]
{"timestamp": "2020-10-01T17:54:36.406926+0200", "type": "dsdbChange", 
"dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, 
"status": "Success", "operation": "Modify", "remoteAddress": null, 
"performedAsSystem": false, "userSid": "S-1-5-18", "dn": 
"CN=Administrator,CN=Users,DC=local,DC=MYDOMAIN", "transactionId": 
"e1cf2141-8bf3-4100-bec6-d5be17915e3b", "sessionId": 
"2a7c4038-b378-4335-a7ad-81a8d8999bf4", "attributes": {"lastLogon": 
{"actions": [{"action": "replace", "values": [{"value": 
"132460412764030630"}]}]}, "logonCount": {"actions": [{"action": 
"replace", "values": [{"value": "19748"}]}]}}}}
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
Kerberos: AS-REQ authtime: 2020-10-01T17:54:36 starttime: unset endtime: 
2020-10-02T03:54:36 renew till: 2020-10-08T17:54:36
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using 
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok, canonicalize, renewable, 
forwardable
stream_terminate_connection: Terminating connection - 
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED'
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
Kerberos: TGS-REQ Administrator at LOCAL.MYDOMAIN from 
ipv4:192.168.1.23:62418 for host/vr083023.LOCAL.MYDOMAIN at LOCAL.MYDOMAIN 
[canonicalize, renewable, forwardable]
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
Kerberos: TGS-REQ authtime: 2020-10-01T17:54:36 starttime: 
2020-10-01T17:54:36 endtime: 2020-10-02T03:54:36 renew till: 
2020-10-08T17:54:36
stream_terminate_connection: Terminating connection - 
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED'

More information about the samba mailing list