RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1563425 - Account lockouts caused by SAMBA + WinBind do not report "Caller Computer Name" in security audit
Summary: Account lockouts caused by SAMBA + WinBind do not report "Caller Computer Nam...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: jstephen
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-03 22:58 UTC by bugzilla
Modified: 2018-12-06 13:41 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-06 13:41:40 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Shows the security audit page when an account is locked. (26.23 KB, image/png)
2018-04-03 22:58 UTC, bugzilla 		no flags Details
Shows the correct security audit page when an account is locked from a Windows workstation. (27.90 KB, image/png)
2018-04-03 22:59 UTC, bugzilla 		no flags Details
View All

Description bugzilla 2018-04-03 22:58:45 UTC 
Created attachment 1416974 [details]
Shows the security audit page when an account is locked.

Description of problem:

When SAMBA is joined to a Windows domain controller as a member server that has password failure lockouts configured, the Windows security auditing does not show the "Caller Computer Name" in the event ID generated (4740).

Version-Release number of selected component (if applicable):



How reproducible:

Very.

Steps to Reproduce:
1. Join Windows Domain
2. Fail to log in sufficient to lock the acount
3. Check the Windows security auditing for event 4740

Actual results:

"Caller Computer Name" is missing a value

Expected results:

"Caller Computer Name" should show the machine name that failed login.

Additional info:

Two images are attached.
Comment 2 bugzilla 2018-04-03 22:59:57 UTC 
Created attachment 1416975 [details]
Shows the correct security audit page when an account is locked from a Windows workstation.
Comment 3 Andreas Schneider 2018-04-04 13:44:48 UTC 
Is this happening with a Kerberos Login or via SamLogon (NTLM) over the Netlogon protocol?
Comment 4 bugzilla 2018-04-04 17:03:10 UTC 
Hi Andreas,

This installation uses Kerberos.
Comment 6 jstephen 2018-07-09 15:47:37 UTC 
Hello,

In my testing with samba 4.7.1-6.el7 and Windows Server 2016 I see the 'Caller Computer Name' field is getting populated when the account gets locked after attempting multiple failed password logins(with SSH) and also with 'wbinfo -K EXAMPLE\\user'

If I try to do kinit user@REALM and lock the account that way, then this field does not get populated because this is circumventing the winbind PAM module and therefore it is expected behavior from my perspective.

I see the same behavior upstream.

Is this consistent with what you are seeing, or perhaps the account is being locked out by some operation that does not call into the pam_winbind module?
Comment 7 Andreas Schneider 2018-07-31 14:19:39 UTC 
Ping!
Comment 8 bugzilla 2018-08-13 23:19:34 UTC 
Thank you for the ping, missed that earlier.  Let me check.  

It might be an LDAP lookup doing the failure, not winbind.
Comment 9 Andreas Schneider 2018-10-15 13:45:33 UTC 
Ping!
Comment 10 bugzilla 2018-12-06 00:35:45 UTC 
Thank you for your patience. We have determined that the reason for the account lock outs is because of stale mountpoints. If a user mountpoint still exists after a domain user has changed their password (by policy), then when the kernel retries a connection it fails multiple times and does not report the "Caller Computer Name".

It does not appear to be a windbind issue after all.
Comment 11 jstephen 2018-12-06 13:41:40 UTC 
Thanks for the update, closing based on comment #10
Note You need to log in before you can comment on or make changes to this bug.