Sometimes I see a big long blob of text regarding "DsCrackNames: Unsupported operation requested" in the logs. I've included a snippet of the lines before and 1 line after. It seems to be triggered by authentication, but only in some cases. [2018/09/04 09:28:58.206900, 3] ../auth/auth_log.c:220(log_json) JSON Authentication: {"timestamp": "2018-09-04T09:28:58.206849+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", "localAddress": "NULL", "remoteAddress": "ipv4:xxx.xxx.x.xxx:54024", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "bram@xxxx", "workstation": null, "becameAccount": "bram", "becameDomain": "xxxx", "becameSid": "S-1-5-21-1031326947-955407334-2620008635-1164", "mappedAccount": "bram", "mappedDomain": "xxxx", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "arcfour-hmac-md5"}} [2018/09/04 09:29:00.764880, 3] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[bram@xxxx.NET] at [Tue, 04 Sep 2018 09:29:00.764854 CEST] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:xxx.xxx.x.xxx:54049] became [xxxx]\[bram] [S-1-5-21-1031326947-955407334-2620008635-1164]. local host [NULL] [2018/09/04 09:29:00.765112, 3] ../auth/auth_log.c:220(log_json) JSON Authentication: {"timestamp": "2018-09-04T09:29:00.765022+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", "localAddress": "NULL", "remoteAddress": "ipv4:xxx.xxx.x.xxx:54049", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "bram@xxxx.NET", "workstation": null, "becameAccount": "bram", "becameDomain": "xxxx", "becameSid": "S-1-5-21-1031326947-955407334-2620008635-1164", "mappedAccount": "bram", "mappedDomain": "xxxx", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "arcfour-hmac-md5"}} ted: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8../librpc/rpc/dcerpc_util.c:264: ERROR: pad length mismatch. Calculated 44 got 0 [2018/09/04 09:29:19.198001, 3] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [LDAP,simple bind] user [(null)]\[zzzzzzzzzz@xxxx.NET] at [Tue, 04 Sep 2018 09:29:19.197959 CEST] with [Plaintext] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:xxx.xxx.x.10:43036] became [xxxx]\[zzzzzzzzzz] [S-1-5-21-1031326947-955407334-2620008635-4615]. local host [ipv4:xxx.xxx.x.2:389] .. Note: the line really starts with " ted:" (so space space...), this is not a copy-paste error. Hmmm, is this perhaps a problem in the JSON authentication logging (which I have enabled) where someone forgot to nul terminate a string? Just guessing due to the double space prefix. Have not looked at the code.