locked
Account lockouts when accessing a SAMBA share RRS feed

  • Question

  • I need some assistance determining what might be causing account lockouts from Windows 7/2008 R2 client machines on my domain (2000 native).  The lockout occurs when you attempt to access a share on a Linux server running SAMBA.  No other client machines (2000, XP, 2003, Vista) experience a lockout accessing SAMBA.  In the Security log on the DC that locks the account out, I get 4 messages that look like this:

    The logon to account: username
    by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    from workstation: \\2008SERVER
    failed. The error code was: 3221225578

    Immediately following this, is the account locked out entry.

    User Account Locked Out:
    Target Account Name: username
    Target Account ID: DOMAIN\username
    Caller Machine Name: \\2008SERVER
    Caller User Name: DOMCONTROLLER$
    Caller Domain: DOMAIN
    Caller Logon ID: (0x0,0x3E7)

    Any assistance that anyone could provide would be greatly appreciated.
    Thursday, December 31, 2009 7:39 PM

Answers

  • Hi Frank,

    The Error code (3221225578) that you are getting in the Events corrosponds to following " The username is correct, but the password is wrong".

    Did you recently changed the Password os the User Accounts in question ? How are you trying to access the Shares on Samba Server ?

    Event Logs clearly indicates that the reason for the Lockout is the Incorrect Password so we should try to focus in that direction. This can very well be the issue specific to the OS also as you mentioned that the Issue dosen't comes up while accessin the Shares from other Clients but Windows 7/2008.

    Take a look at the following Post and see if it helps - http://www.derkeiler.com/Newsgroups/microsoft.public.win2000.security/2002-12/13597.html

    Revert back with the info.

    Thanks,
    Nitin

    • Proposed as answer by David Shen Monday, January 4, 2010 9:03 AM
    • Marked as answer by David Shen Monday, January 11, 2010 8:03 AM
    Saturday, January 2, 2010 10:36 AM
  • Nitin,

    Thanks for your help.

    We eventually came across the following article:
    http://www.builderau.com.au/blogs/viewblogpost.htm?p=339270746

    Which mentioned changing "Network Security: LAN Manager authentication level" from "NTVLM2 responses only" to "LM and NTLM – use NTLMV2 session security if negotiated".  Once this change was made, I was able to access the SAMBA server and shares.

    Thanks,
    Frank
    • Marked as answer by frank.parry Monday, January 18, 2010 9:28 PM
    Monday, January 18, 2010 9:27 PM

All replies

  • Hi Frank,

    The Error code (3221225578) that you are getting in the Events corrosponds to following " The username is correct, but the password is wrong".

    Did you recently changed the Password os the User Accounts in question ? How are you trying to access the Shares on Samba Server ?

    Event Logs clearly indicates that the reason for the Lockout is the Incorrect Password so we should try to focus in that direction. This can very well be the issue specific to the OS also as you mentioned that the Issue dosen't comes up while accessin the Shares from other Clients but Windows 7/2008.

    Take a look at the following Post and see if it helps - http://www.derkeiler.com/Newsgroups/microsoft.public.win2000.security/2002-12/13597.html

    Revert back with the info.

    Thanks,
    Nitin

    • Proposed as answer by David Shen Monday, January 4, 2010 9:03 AM
    • Marked as answer by David Shen Monday, January 11, 2010 8:03 AM
    Saturday, January 2, 2010 10:36 AM
  • Nitin,

    Thank you for the response.  In this case, I have not recently changed the user password.  In fact, the user account gets locked out regardless of which user account you try to use to access the Samba server.  On an XP machine, if I log in with my domain account and attempt to access the Samba server's shares by using the UNC path  \\sambaserver, I am immediately shown the share list available on that Samba server (in other words, I am not prompted for credentials- passthrough authentication seems to work).  From a 2008 machine, if I try to do the same thing, I am prompted for my domain username/password.  If I use the account lockout tool from Microsoft, I can see that my account now has 4 "bad password" attempts in the Security log (this is even before I provide the credentials when prompted).

    The issue doesn't seem to be a bad password, but possibly some other problem with the trust between the hosts?

    Thanks again for the assistance.  Any other ideas would be greatly appreciated.

    Thanks,
    Frank
    Monday, January 4, 2010 11:25 AM
  • Hi,

    So, you are experiencing different bahavior from XP and 2008 Machines. Just to confirm, what happens when you enter the Credentials from Windows 2008 Machine? Does the Share comes up or does it errors out ??

    I would also like to know if you have configured SMB Policies in the Domain. SMB stands for Server Message Block and it's required while accessing the Shares in the Domain. Depending upon how you have configured SMB, You will be prompted for Credentials while accessing the Shares on the Network

    Before looking at anything else let's first check the SMB Policies. Please take a look at the following Artile and try to chekc the Policies. If you have not configured it yet, you can set these policies at the Domain Level so that it can take effect on all the Machines in the Domain as per your requirements.

    http://support.microsoft.com/default.aspx/kb/839499

    The only purpose to check this setting is to make sure that the behavior while opening the Shares from XP and Windows 2008 Machines is same. Once this is in place we will check further.

    Take a look at this Article to get an Overview on SMB - http://support.microsoft.com/kb/887429

    Thanks,
    Nitin
    Monday, January 4, 2010 12:21 PM
  • Hi Frank,

    Please try this first. Juct clicked in my mind and i suspect this can be the issue.

    Type " Control Keymgr.dll "  on Run Prompt of the problem Windows 2008 Machine. This will bring up "Stored Username and Passwords Window".  Remove any Saved Passwords from the List. I suspect that when you try to open the Share from this Machine it trys to get in using the Cached Passwords and errors out since they might not be updated.

    Revert back with the results.

    Thanks,
    Nitin 
    Monday, January 4, 2010 12:29 PM
  • Nitin,

    Thanks again for the responses.

    In answer to your first post, we do not have SMB signing disabled or any SMB policies on the domain.  Also, if I provide the correct credentials when prompted from the 2008 server, I am given "bad username/password" in response.

    In regards to your second post, the Credential Manager is not showing any saved information: "No Windows credentials", "No Certificates", "No generic credentials".

    Is it possible that the encryption level is higher on the Server 2008 side than is supported by the Samba server?  I'm just trying to think of anything that would be different from XP/Vista and 2008.

    Thanks,
    Frank
    Monday, January 4, 2010 12:57 PM
  • Hi Frank,

    Is SAMBA Server part of the same Domain ?
    Are you able to access Normal Windows Shares from Windows 2008 Server ?

    - Also, please download ' Klist ' (part of Resource kit tools) from Microsoft Website and Purge all the Tickets on Windows 2008 Server.
    - You may use following command on Command Prompt -  'Klist Purge'.
    - Log off and Log back in. Check to see if issue persists.

    Thanks,
    Nitin
    Monday, January 4, 2010 1:36 PM
  • Hi Nitin,

    Sorry for the delay.  Yes, the SAMBA server is part of the same domain.  It should be noted that the SAMBA server is actually a file server cluster and the name I'm referencing is the virtual name for the cluster.  I'm not sure if that's relevant, but I thought I'd mention.

    I am able to access normal Windows shares from the 2008 server without issue.

    I ran the "klist purge" command and followed your instructions.  Unfortunately, this did not seem to have an effect, as the account still locked out.

    Thanks again,
    Frank
    Tuesday, January 5, 2010 7:45 PM
  • Hi Frank,

    The basic reasons for Account Lockout includes Services running under User's Context (Password not updated), Third Party Application attempting to logon using wrong credentials etc

    I am not very sure about the Cluster configuration but the thing worth bothering is that even if you supply the correct credentials on the dialog box, it returns Bad Username/Password.
    Another important point is that you do not get issues from any other Machine in the Network which forces me to think that the issue is Machine specific.

    Let's isolate this issue a bit further, do a Clean Boot on the Windows 2008 Server and disable all the Third Party Services and Startup Items using Msconfig Utility. Reboot the Server and see if the behavior still remains.
    Also check all the Services and see which ones are running under a User Account.

    Thanks,
    Nitin
    • Marked as answer by David Shen Monday, January 11, 2010 8:02 AM
    • Unmarked as answer by frank.parry Monday, January 11, 2010 11:38 PM
    Wednesday, January 6, 2010 12:35 PM
  • Hi Nitin,

    It should be noted that this is not happening on only one computer- it is happening from ALL Windows 7/2008 machines.  I've tested making the connection from a clean machine (no 3rd party software) and received the same result.

    I have determined one item of interest, however:  the virtual server name is not in our Active Directory.  Both of the physical hostnames are (host1, host2).  From one of the Windows 7/2008 machines, I AM able to view the SAMBA share list if I reference either of the physical servers by name (\\host1.domain.com, \\host2.domain.com), but only the virtual name causes the lockout.  Is it possible that the Windows 7/2008 server is expecting the virtual server to be in Active Directory?

    Thanks again,
    Frank
    Monday, January 11, 2010 11:38 PM
  • Hi,

    If you are able to access the Physical Servers properly and only the Virtual Cluster Name is giving the issues than i suspect this is Cluster Configuration specific issue. And again it is specific to Windows 2008 and Vista/7 Operating Systems. May be something configured while creating the Clusters is causing the issue but like i said i am not an Expert on Clusters so i have less knowledge on the same.  We might need help from a Cluster Expert here.

    And you earlier mentioned the Encryption part. Windows Cista and Later Operating Systems does support AES (Advanced Encryption SUpport) but unless configured they use Normal Encryption suported by all other OS including Windows XP, 2003, Linux etc.

    Thanks,
    Nitin
    Tuesday, January 12, 2010 9:31 AM
  • Nitin,

    Thanks for your help.

    We eventually came across the following article:
    http://www.builderau.com.au/blogs/viewblogpost.htm?p=339270746

    Which mentioned changing "Network Security: LAN Manager authentication level" from "NTVLM2 responses only" to "LM and NTLM – use NTLMV2 session security if negotiated".  Once this change was made, I was able to access the SAMBA server and shares.

    Thanks,
    Frank
    • Marked as answer by frank.parry Monday, January 18, 2010 9:28 PM
    Monday, January 18, 2010 9:27 PM
  • Hi Frank,

    Thanks for getting back with the solution. I appreciate it. Coincidently, yesterday i came across this Article too but did not get time to post here :)

    Good to know it worked for you.


    Cheers,
    Nitin
    Tuesday, January 19, 2010 9:48 AM