{"id":268,"date":"2011-01-25T14:07:25","date_gmt":"2011-01-25T19:07:25","guid":{"rendered":"http:\/\/www.rajatswarup.com\/blog\/?p=268"},"modified":"2011-01-25T14:07:25","modified_gmt":"2011-01-25T19:07:25","slug":"ad-account-lockouts","status":"publish","type":"post","link":"https:\/\/www.rajatswarup.com\/blog\/2011\/01\/25\/ad-account-lockouts\/","title":{"rendered":"Kerberos\/Samba\/AD account lockouts"},"content":{"rendered":"<p>I kept getting the following errors on my AD domain in the event viewer and accounts kept locking out:<br \/>\n<code>Pre-authentication failed:<br \/>\nUser Name: \u00a0 \u00a0 \u00a0user1<br \/>\nUser ID: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0DOMAIN\\user1<br \/>\nService Name: \u00a0 krbtgt\/<a href=\"http:\/\/domain.com\/\" target=\"_blank\">DOMAIN.COM<\/a><br \/>\nPre-Authentication Type: \u00a0 \u00a0 \u00a0 \u00a00x0<br \/>\nFailure Code: \u00a0 0x12<br \/>\nClient Address: 192.168.246.134<\/p>\n<p>For more information, see Help and Support Center at<br \/>\n<a href=\"http:\/\/go.microsoft.com\/fwlink\/events.asp\" target=\"_blank\">http:\/\/go.microsoft.com\/fwlink\/events.asp<\/a>.<\/code><\/p>\n<p>In the Directory Service logs I see the following entry:<br \/>\n[snip]<br \/>\n<code>Active Directory could not update the following object with changes<br \/>\nreceived from the domain controller at the following network address<br \/>\nbecause Active Directory was busy processing information.<\/p>\n<p>Object:<br \/>\nCN=User 1,OU=Testing Services Team,OU=TESTER V,DC=domain,DC=com<br \/>\nNetwork address:<br \/>\ne5523049-53f1-4274-858b-<\/p>\n<div id=\":1vt\">c68971599acf._<a href=\"http:\/\/msdcs.domain.com\/\" target=\"_blank\">msdcs.domain.com<\/a><\/p>\n<p>This operation will be tried again later.<\/p>\n<p>For more information, see Help and Support Center at<br \/>\n<a href=\"http:\/\/go.microsoft.com\/fwlink\/events.asp\" target=\"_blank\">http:\/\/go.microsoft.com\/fwlink\/events.asp<\/a>.<br \/>\n<\/code>\n<\/div>\n<p>Turns out this happens if you have samba\/winbind\/AD type infrastructure.  If someone has some processes running (Even if they us sudo) and happen to change their password while the process is running on unix (and using kerberos authentication), the accounts lockout because the kerberos ticket granting ticket (krbtgt) is not current and any object access is considered to be a failed login attempt.  This locks out the accounts if you have account lockout implemented in your AD domain security policy.  <\/p>\n","protected":false},"excerpt":{"rendered":"<p>I kept getting the following errors on my AD domain in the event viewer and accounts kept locking out: Pre-authentication failed: User Name: \u00a0 \u00a0 \u00a0user1 User ID: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0DOMAIN\\user1 Service Name: \u00a0 krbtgt\/DOMAIN.COM Pre-Authentication Type: \u00a0 \u00a0 \u00a0 \u00a00x0 Failure Code: \u00a0 0x12 Client Address: 192.168.246.134 For more [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[230],"tags":[425,424,229,423,422,306,426],"class_list":["post-268","post","type-post","status-publish","format-standard","hentry","category-howto","tag-account-lockout","tag-ad","tag-error","tag-kerberos","tag-krbtgt","tag-samba","tag-winbind"],"_links":{"self":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/268","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/comments?post=268"}],"version-history":[{"count":1,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/268\/revisions"}],"predecessor-version":[{"id":269,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/268\/revisions\/269"}],"wp:attachment":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/media?parent=268"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/categories?post=268"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/tags?post=268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}