Bug 1563425
Summary: | Account lockouts caused by SAMBA + WinBind do not report "Caller Computer Name" in security audit | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | bugzilla | ||||||
Component: | samba | Assignee: | jstephen | ||||||
Status: | CLOSED NOTABUG | QA Contact: | qe-baseos-daemons | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 7.4 | CC: | asn, bugzilla, gdeschner, jarrpa, jstephen | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2018-12-06 13:41:40 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Created attachment 1416975 [details]
Shows the correct security audit page when an account is locked from a Windows workstation.
Is this happening with a Kerberos Login or via SamLogon (NTLM) over the Netlogon protocol? Hi Andreas, This installation uses Kerberos. Hello, In my testing with samba 4.7.1-6.el7 and Windows Server 2016 I see the 'Caller Computer Name' field is getting populated when the account gets locked after attempting multiple failed password logins(with SSH) and also with 'wbinfo -K EXAMPLE\\user' If I try to do kinit user@REALM and lock the account that way, then this field does not get populated because this is circumventing the winbind PAM module and therefore it is expected behavior from my perspective. I see the same behavior upstream. Is this consistent with what you are seeing, or perhaps the account is being locked out by some operation that does not call into the pam_winbind module? Ping! Thank you for the ping, missed that earlier. Let me check. It might be an LDAP lookup doing the failure, not winbind. Ping! Thank you for your patience. We have determined that the reason for the account lock outs is because of stale mountpoints. If a user mountpoint still exists after a domain user has changed their password (by policy), then when the kernel retries a connection it fails multiple times and does not report the "Caller Computer Name". It does not appear to be a windbind issue after all. Thanks for the update, closing based on comment #10 |
Created attachment 1416974 [details] Shows the security audit page when an account is locked. Description of problem: When SAMBA is joined to a Windows domain controller as a member server that has password failure lockouts configured, the Windows security auditing does not show the "Caller Computer Name" in the event ID generated (4740). Version-Release number of selected component (if applicable): How reproducible: Very. Steps to Reproduce: 1. Join Windows Domain 2. Fail to log in sufficient to lock the acount 3. Check the Windows security auditing for event 4740 Actual results: "Caller Computer Name" is missing a value Expected results: "Caller Computer Name" should show the machine name that failed login. Additional info: Two images are attached.