Hi, I have strange problem. One of my accounts is being locked out periodically. I followed this advice (Find source of account lockout - #2 by Moritz_Bunkus) to enable samba logs, and here is what I found out:
I have replaced sensitive info with fake/example details. My fileserver is trying to login as me for some reason. UCS fileserver is FILESERVER at 192.168.0.13
Domain controller for domain EXAMPLEDOMAIN at 192.168.0.2
My admin username is john.snow
auth_check_password_send: Checking password for unmapped user [EXAMPLEDOMAIN]\[john.snow]@[\\FILESERVERERVER]
auth_check_password_send: user is: [EXAMPLEDOMAIN]\[john.snow]@[\\FILESERVERERVER]
ntlm_password_check: NEITHER LanMan nor NT password supplied for user john.snow
ntlm_password_check: NEITHER LanMan nor NT password supplied for user john.snow
ntlm_password_check: NEITHER LanMan nor NT password supplied for user john.snow
auth_check_password_recv: sam authentication for user [EXAMPLEDOMAIN\john.snow] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
Auth: [SamLogon,network] user [EXAMPLEDOMAIN]\[john.snow] at [Wed, 12 Jan 2022 18:12:26.948871 GMT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [\\\\FILESERVER] remote host [ipv4:192.168.0.13:53
214] mapped to [EXAMPLEDOMAIN]\[john.snow]. local host [ipv4:192.168.0.2:49152] NETLOGON computer [FILESERVER] trust account [FILESERVER$]
{"timestamp": "2022-01-12T18:12:26.949455+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4625, "logonType": 3, "status": "NT_STATUS_WRONG_PASSWORD", "
localAddress": "ipv4:192.168.0.2:49152", "remoteAddress": "ipv4:192.168.144.13:53214", "serviceDescription": "SamLogon", "authDescription": "network", "clientDomain": "EXAMPLEDOMAIN", "clientAccount": "roman
.admin", "workstation": "\\\\FILESERVER", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "john.snow", "mappedDomain": "EXAMPLEDOMAIN", "netlogonComputer": "FILESERVER", "netlogonTrustAcc
ount": "FILESERVER$", "netlogonNegotiateFlags": "0x610FFFFF", "netlogonSecureChannelType": 2, "netlogonTrustAccountSid": "S-1-5-21-1340774947-4048195885-1699228363-4209", "passwordType": "NTLMv2", "duration": 3
13489}}
I tried grepping my username through /etc/ directory, checked crontabs for root and for my username, but could not find anything.
This seems to happen every 10-20 mins.
Any advice how should I proceed and investigate this further?
Thanks for help.