auth audit log question

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

auth audit log question

Samba - General mailing list
Hi,

Since samba 4.7 I have setup auth logging, and while I can relate most
failed passwords to users mistyping a password, there is one kind that I
don't understand, happening across our samba-DCs.

Things work without issues, but I'm just being curious. :-)

> [2017/11/23 04:47:32.166753,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
>   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017 04:47:32.166711 CET] with [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:1.2.3.30:62827] mapped to [WRKGRP]\[P002556$]. local host [NULL]
> [2017/11/23 04:47:32.170564,  3] ../auth/auth_log.c:760(log_authentication_event_human_readable)
>   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017 04:47:32.170557 CET] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:1.2.3.30:62828] became [WRKGRP]\[P002556$] [S-1-5-21-90834550-981288634-869225949-132733]. local host [NULL]

First NT_STATUS_WRONG_PASSWORD, immediately followed by NT_STATUS_OK for
the same workstation.

We can domain-logon onto the workstation, I can open AD shares including
\\samba-dc2, \\member_server, etc. All without problem. So the domain
password / join appears to be correct.

P002556$@SAMBA.COMPANY.COM is running windows server 2008 Enterprise, SP2.

Could anyone think of other reasons why the above error could come up on
the DC logs?

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: auth audit log question

Samba - General mailing list
On Thu, 2017-11-23 at 13:54 +0100, mj via samba wrote:

> Hi,
>
> Since samba 4.7 I have setup auth logging, and while I can relate most
> failed passwords to users mistyping a password, there is one kind that I
> don't understand, happening across our samba-DCs.
>
> Things work without issues, but I'm just being curious. :-)
>
> > [2017/11/23 04:47:32.166753,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
> >   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017 04:47:32.166711 CET] with [arcfour-hmac-md5] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:1.2.3.30:62827] mapped to [WRKGRP]\[P002556$]. local host [NULL]
> > [2017/11/23 04:47:32.170564,  3] ../auth/auth_log.c:760(log_authentication_event_human_readable)
> >   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017 04:47:32.170557 CET] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:1.2.3.30:62828] became [WRKGRP]\[P002556$] [S-1-5-21-90834550-981288634-869225949-132733]. local host [NULL]
>
> First NT_STATUS_WRONG_PASSWORD, immediately followed by NT_STATUS_OK for
> the same workstation.
>
> We can domain-logon onto the workstation, I can open AD shares including
> \\samba-dc2, \\member_server, etc. All without problem. So the domain
> password / join appears to be correct.
>
> P002556$@SAMBA.COMPANY.COM is running windows server 2008 Enterprise, SP2.
>
> Could anyone think of other reasons why the above error could come up on
> the DC logs?

It might be speculative pre-authentication with the wrong salt, and
then coming back with the password using the right salt.

A network trace might show more.

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: auth audit log question

Samba - General mailing list
In reply to this post by Samba - General mailing list
For the archives:

On 23-11-2017 13:54, mj via samba wrote:

>> [2017/11/23 04:47:32.166753,  2]
>> ../auth/auth_log.c:760(log_authentication_event_human_readable)
>>   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
>> [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017
>> 04:47:32.166711 CET] with [arcfour-hmac-md5] status
>> [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host
>> [ipv4:1.2.3.30:62827] mapped to [WRKGRP]\[P002556$]. local host [NULL]
>> [2017/11/23 04:47:32.170564,  3]
>> ../auth/auth_log.c:760(log_authentication_event_human_readable)
>>   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
>> [(null)]\[P002556$@SAMBA.COMPANY.COM] at [Thu, 23 Nov 2017
>> 04:47:32.170557 CET] with [arcfour-hmac-md5] status [NT_STATUS_OK]
>> workstation [(null)] remote host [ipv4:1.2.3.30:62828] became
>> [WRKGRP]\[P002556$] [S-1-5-21-90834550-981288634-869225949-132733].
>> local host [NULL]
>
> First NT_STATUS_WRONG_PASSWORD, immediately followed by NT_STATUS_OK for
> the same workstation.

The messages disappeared after the windows 2008 domain member was rebooted.

Some windows glitch I guess. :-)

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba