On to, 13 heinä 2017, Andy Thompson via FreeIPA-users wrote:
-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Wednesday, July 12, 2017 1:45 AM
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Andy Thompson <andy.thomp...@e-tcc.com>
Subject: Re: [Freeipa-users] IPA to AD trust 4625 NULL SID logon failures

On ti, 11 heinä 2017, Andy Thompson via FreeIPA-users wrote:
>We are troubleshooting an account lockout issue and came across the
>error below in the windows DC event logs while investigating.  They are
>appearing in two of our environments, the third is quiet.  These are
>logged several times a minute and are likely unrelated to the lockout
>issue, but what IPA process could cause this?
I think these are anonymous connections and unrelated to your lockouts.


They definitely aren't related to the lockouts but what anonymous
connection would come from IPA?  I find it odd I'm only seeing it in
two of my  environments this much but they all have AD trusts in place
It is a by-product of IPA not fully supporting pass-through
authentication across the trust boundary yet. Winbindd on IPA master
needs to communicate back to AD DCs it trusts but it does not always
have secure channel credentials available so it uses anonymous
connections to probe first, then falls back to use of a TDO object.
It is part of internal Samba logic and is being refactored for Samba
4.7+.


--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to