Bug 1563425

Summary: Account lockouts caused by SAMBA + WinBind do not report "Caller Computer Name" in security audit
Product: Red Hat Enterprise Linux 7 Reporter: bugzilla
Component: sambaAssignee: jstephen
Status: CLOSED NOTABUG QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: asn, bugzilla, gdeschner, jarrpa, jstephen
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-06 13:41:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Shows the security audit page when an account is locked.
none
Shows the correct security audit page when an account is locked from a Windows workstation. none

Description bugzilla 2018-04-03 22:58:45 UTC 
Created attachment 1416974 [details]
Shows the security audit page when an account is locked.

Description of problem:

When SAMBA is joined to a Windows domain controller as a member server that has password failure lockouts configured, the Windows security auditing does not show the "Caller Computer Name" in the event ID generated (4740).

Version-Release number of selected component (if applicable):



How reproducible:

Very.

Steps to Reproduce:
1. Join Windows Domain
2. Fail to log in sufficient to lock the acount
3. Check the Windows security auditing for event 4740

Actual results:

"Caller Computer Name" is missing a value

Expected results:

"Caller Computer Name" should show the machine name that failed login.

Additional info:

Two images are attached.
Comment 2 bugzilla 2018-04-03 22:59:57 UTC 
Created attachment 1416975 [details]
Shows the correct security audit page when an account is locked from a Windows workstation.
Comment 3 Andreas Schneider 2018-04-04 13:44:48 UTC 
Is this happening with a Kerberos Login or via SamLogon (NTLM) over the Netlogon protocol?
Comment 4 bugzilla 2018-04-04 17:03:10 UTC 
Hi Andreas,

This installation uses Kerberos.
Comment 6 jstephen 2018-07-09 15:47:37 UTC 
Hello,

In my testing with samba 4.7.1-6.el7 and Windows Server 2016 I see the 'Caller Computer Name' field is getting populated when the account gets locked after attempting multiple failed password logins(with SSH) and also with 'wbinfo -K EXAMPLE\\user'

If I try to do kinit user@REALM and lock the account that way, then this field does not get populated because this is circumventing the winbind PAM module and therefore it is expected behavior from my perspective.

I see the same behavior upstream.

Is this consistent with what you are seeing, or perhaps the account is being locked out by some operation that does not call into the pam_winbind module?
Comment 7 Andreas Schneider 2018-07-31 14:19:39 UTC 
Ping!
Comment 8 bugzilla 2018-08-13 23:19:34 UTC 
Thank you for the ping, missed that earlier.  Let me check.  

It might be an LDAP lookup doing the failure, not winbind.
Comment 9 Andreas Schneider 2018-10-15 13:45:33 UTC 
Ping!
Comment 10 bugzilla 2018-12-06 00:35:45 UTC 
Thank you for your patience. We have determined that the reason for the account lock outs is because of stale mountpoints. If a user mountpoint still exists after a domain user has changed their password (by policy), then when the kernel retries a connection it fails multiple times and does not report the "Caller Computer Name".

It does not appear to be a windbind issue after all.
Comment 11 jstephen 2018-12-06 13:41:40 UTC 
Thanks for the update, closing based on comment #10