[Samba] Failed auth attempt i don't understand.

Fri Oct 2 12:51:48 UTC 2020

Le 02/10/2020 13:58, L.P.H. van Belle via samba a écrit :
> Ive seen something simular here.
> 
> Does this happen if you try to connect to a PC where you already are 
> logged in.
> If yes, logout, test again.
> If no, reboot the pc and test again.

Just have done it. And it Work... Hours spend on this one.
May-be bound to the fact that the fsmo have change recently

> What is the exact message you see.
> (optinal PM me the print screen)
> I do/did get some 0x... Message when trying to login on first attempt.
> The second always worked for me.
> 
> And lookup the windows events.
> Or are we talking here about RDP on linux workstations?  ;-)
> 
> 
> Greetz,
> 
> Louis
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> karel de macil via samba
>> Verzonden: vrijdag 2 oktober 2020 13:25
>> Aan: karel.de.macil at free.fr
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Failed auth attempt i don't understand.
>> 
>> Le 01/10/2020 19:09, karel de macil via samba a écrit :
>> > Hi all,
>> >
>> > when i try to authenticate against my AD (rdesktop authentication) i
>> > got a wrong password/logname message despite my logname and password
>> > being exact , in the log i have the following .
>> >
>> > Nothing wrong for me.
>> >
>> 
>> with more test this happened with both physical or network
>> connection on
>> WINDOWS 10 BUT with windows 7 all still work fluently. If
>> this ring any
>> bells
>> to anyone.
>> 
>> > the only strange thing being the : stream_terminate_connection:
>> > Terminating connection - 'kdc_tcp_call_loop:
>> > tstream_read_pdu_blob_recv() -
>> NT_STATUS_CONNECTION_DISCONNECTED' line
>> > in perticular the second one because just after things seems to
>> > continue with the :
>> >
>> > Kerberos: TGS-REQ Administrator at LOCAL.MYDOMAIN from
>> > ipv4:192.168.1.23:62418 for
>> > host/vr083023.LOCAL.MYDOMAIN at LOCAL.MYDOMAIN [canonicalize,
>> renewable,
>> > forwardable]
>> >
>> > line.
>> >
>> > Can anyone with more knowledge than me have an eye on the
>> log and tell
>> > me if he see anything wrong ?
>> >
>> > and by the way ,under debian bullseye i can't seems to find
>> anyway to
>> > get the full log of samba.
>> > despite this line :
>> > log level = 6;
>> > in my conf i can' seems to obtain the same level of log i
>> get by doing
>> > :
>> >
>> > samba -i -d 6  --debug-stderr
>> >
>> > if anyone know why, and how i can get my log to this level without
>> > launching my samba in interractive mode , i'm very interested.
>> >
>> > best regards
>> >
>> > Kerberos: AS-REQ administrator at LOCAL.MYDOMAIN from
>> > ipv4:192.168.1.23:62416 for krbtgt/LOCAL.MYDOMAIN at LOCAL.MYDOMAIN
>> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
>> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
>> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
>> > Kerberos: Client sent patypes: 128
>> > Kerberos: Looking for PKINIT pa-data -- administrator at LOCAL.MYDOMAIN
>> > Kerberos: Looking for ENC-TS pa-data -- administrator at LOCAL.MYDOMAIN
>> > Kerberos: No preauth found, returning PREAUTH-REQUIRED --
>> > administrator at LOCAL.MYDOMAIN
>> > stream_terminate_connection: Terminating connection -
>> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
>> > NT_STATUS_CONNECTION_DISCONNECTED'
>> > Kerberos: AS-REQ administrator at LOCAL.MYDOMAIN from
>> > ipv4:192.168.1.23:62417 for krbtgt/LOCAL.MYDOMAIN at LOCAL.MYDOMAIN
>> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
>> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
>> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
>> > Kerberos: Client sent patypes: encrypted-timestamp, 128
>> > Kerberos: Looking for PKINIT pa-data -- administrator at LOCAL.MYDOMAIN
>> > Kerberos: Looking for ENC-TS pa-data -- administrator at LOCAL.MYDOMAIN
>> > Kerberos: ENC-TS Pre-authentication succeeded --
>> > administrator at LOCAL.MYDOMAIN using arcfour-hmac-md5
>> > Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
>> > [(null)]\[administrator at LOCAL.MYDOMAIN] at [Thu, 01 Oct 2020
>> > 17:54:36.401984 CEST] with [arcfour-hmac-md5] status [NT_STATUS_OK]
>> > workstation [(null)] remote host [ipv4:192.168.1.23:62417] became
>> > [local]\[Administrator]
>> > [S-1-5-21-2718981395-2814295682-4030710678-500]. local host [NULL]
>> > {"timestamp": "2020-10-01T17:54:36.402248+0200", "type":
>> > "Authentication", "Authentication": {"version": {"major":
>> 1, "minor":
>> > 2}, "eventId": 4624, "logonId": "28970a9c6c2edc2a", "logonType": 3,
>> > "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress":
>> > "ipv4:192.168.1.23:62417", "serviceDescription": "Kerberos KDC",
>> > "authDescription": "ENC-TS Pre-authentication",
>> "clientDomain": null,
>> > "clientAccount": "administrator at LOCAL.MYDOMAIN",
>> "workstation": null,
>> > "becameAccount": "Administrator", "becameDomain": "local",
>> > "becameSid": "S-1-5-21-2718981395-2814295682-4030710678-500",
>> > "mappedAccount": "Administrator", "mappedDomain": "local",
>> > "netlogonComputer": null, "netlogonTrustAccount": null,
>> > "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType":
>> > 0, "netlogonTrustAccountSid": null, "passwordType":
>> > "arcfour-hmac-md5", "duration": 7783}}
>> > authsam_account_ok: Checking SMB password for user
>> > administrator at LOCAL.MYDOMAIN
>> > logon_hours_ok: No hours restrictions for user
>> > administrator at LOCAL.MYDOMAIN
>> > lastLogonTimestamp is 132456356073698900
>> > sync interval is 14
>> > randomised sync interval is 12 (-2)
>> > old timestamp is 132456356073698900, threshold 132450044764030630,
>> > diff 6311309668270
>> > DSDB Change [Modify] at [Thu, 01 Oct 2020 17:54:36.406688
>> CEST] status
>> > [Success] remote host [Unknown] SID [S-1-5-18] DN
>> > [CN=Administrator,CN=Users,DC=local,DC=MYDOMAIN] attributes
>> [replace:
>> > lastLogon [132460412764030630] replace: logonCount [19748]]
>> > {"timestamp": "2020-10-01T17:54:36.406926+0200", "type":
>> "dsdbChange",
>> > "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0,
>> > "status": "Success", "operation": "Modify", "remoteAddress": null,
>> > "performedAsSystem": false, "userSid": "S-1-5-18", "dn":
>> > "CN=Administrator,CN=Users,DC=local,DC=MYDOMAIN", "transactionId":
>> > "e1cf2141-8bf3-4100-bec6-d5be17915e3b", "sessionId":
>> > "2a7c4038-b378-4335-a7ad-81a8d8999bf4", "attributes": {"lastLogon":
>> > {"actions": [{"action": "replace", "values": [{"value":
>> > "132460412764030630"}]}]}, "logonCount": {"actions": [{"action":
>> > "replace", "values": [{"value": "19748"}]}]}}}}
>> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
>> > Kerberos: AS-REQ authtime: 2020-10-01T17:54:36 starttime: unset
>> > endtime: 2020-10-02T03:54:36 renew till: 2020-10-08T17:54:36
>> > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
>> > aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, 3, using
>> > arcfour-hmac-md5/arcfour-hmac-md5
>> > Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
>> > forwardable
>> > stream_terminate_connection: Terminating connection -
>> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
>> > NT_STATUS_CONNECTION_DISCONNECTED'
>> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
>> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
>> > Kerberos: TGS-REQ Administrator at LOCAL.MYDOMAIN from
>> > ipv4:192.168.1.23:62418 for
>> > host/vr083023.LOCAL.MYDOMAIN at LOCAL.MYDOMAIN [canonicalize,
>> renewable,
>> > forwardable]
>> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
>> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
>> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
>> > gendb_search_v: DC=local,DC=MYDOMAIN NULL -> 1
>> > Kerberos: TGS-REQ authtime: 2020-10-01T17:54:36 starttime:
>> > 2020-10-01T17:54:36 endtime: 2020-10-02T03:54:36 renew till:
>> > 2020-10-08T17:54:36
>> > stream_terminate_connection: Terminating connection -
>> > 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
>> > NT_STATUS_CONNECTION_DISCONNECTED'
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>> 