Kerberos/Samba/AD account lockouts
I kept getting the following errors on my AD domain in the event viewer and accounts kept locking out:
Pre-authentication failed:
User Name: user1
User ID: DOMAIN\user1
Service Name: krbtgt/DOMAIN.COM
Pre-Authentication Type: 0x0
Failure Code: 0x12
Client Address: 192.168.246.134
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
In the Directory Service logs I see the following entry:
[snip]
Active Directory could not update the following object with changes
received from the domain controller at the following network address
because Active Directory was busy processing information.
Object:
CN=User 1,OU=Testing Services Team,OU=TESTER V,DC=domain,DC=com
Network address:
e5523049-53f1-4274-858b-
This operation will be tried again later.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Turns out this happens if you have samba/winbind/AD type infrastructure. If someone has some processes running (Even if they us sudo) and happen to change their password while the process is running on unix (and using kerberos authentication), the accounts lockout because the kerberos ticket granting ticket (krbtgt) is not current and any object access is considered to be a failed login attempt. This locks out the accounts if you have account lockout implemented in your AD domain security policy.
This is interesting. Probably has to do with the tokens issued to processes. Cool!