UCS account is being locked out periodically - one of UCS servers is trying to use my username to login?

UCS - Univention Corporate Server
#1

Hi, I have strange problem. One of my accounts is being locked out periodically. I followed this advice (Find source of account lockout - #2 by Moritz_Bunkus) to enable samba logs, and here is what I found out:

I have replaced sensitive info with fake/example details. My fileserver is trying to login as me for some reason. UCS fileserver is FILESERVER at 192.168.0.13
Domain controller for domain EXAMPLEDOMAIN at 192.168.0.2
My admin username is john.snow

  auth_check_password_send: Checking password for unmapped user [EXAMPLEDOMAIN]\[john.snow]@[\\FILESERVERERVER]                                                                                                             
  auth_check_password_send: user is: [EXAMPLEDOMAIN]\[john.snow]@[\\FILESERVERERVER]                                                                                                                                        
  ntlm_password_check: NEITHER LanMan nor NT password supplied for user john.snow                                                                                                                          
  ntlm_password_check: NEITHER LanMan nor NT password supplied for user john.snow                                                                                                                          
  ntlm_password_check: NEITHER LanMan nor NT password supplied for user john.snow                                                                                                                          
  auth_check_password_recv: sam authentication for user [EXAMPLEDOMAIN\john.snow] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1                                                                     
  Auth: [SamLogon,network] user [EXAMPLEDOMAIN]\[john.snow] at [Wed, 12 Jan 2022 18:12:26.948871 GMT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [\\\\FILESERVER] remote host [ipv4:192.168.0.13:53
214] mapped to [EXAMPLEDOMAIN]\[john.snow]. local host [ipv4:192.168.0.2:49152]  NETLOGON computer [FILESERVER] trust account [FILESERVER$]                                                                             
  {"timestamp": "2022-01-12T18:12:26.949455+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4625, "logonType": 3, "status": "NT_STATUS_WRONG_PASSWORD", "
localAddress": "ipv4:192.168.0.2:49152", "remoteAddress": "ipv4:192.168.144.13:53214", "serviceDescription": "SamLogon", "authDescription": "network", "clientDomain": "EXAMPLEDOMAIN", "clientAccount": "roman
.admin", "workstation": "\\\\FILESERVER", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "john.snow", "mappedDomain": "EXAMPLEDOMAIN", "netlogonComputer": "FILESERVER", "netlogonTrustAcc
ount": "FILESERVER$", "netlogonNegotiateFlags": "0x610FFFFF", "netlogonSecureChannelType": 2, "netlogonTrustAccountSid": "S-1-5-21-1340774947-4048195885-1699228363-4209", "passwordType": "NTLMv2", "duration": 3
13489}}

I tried grepping my username through /etc/ directory, checked crontabs for root and for my username, but could not find anything.

This seems to happen every 10-20 mins.

Any advice how should I proceed and investigate this further?

Thanks for help.

#2

Bump in case anyone new comes here and has any thoughts. But I do not expect anything so no worries, just trying my luck. Thanks.

#3

Solved. “Rogue” systems with old config and old passwords were trying to mount file shares.
Close this thread.

I used verbose samba logging and tcpdump on domain controller and on fileserver to monitor network traffic to find offending IP addresses.

1 Like
Mastodon