For samba it’s because you use nethserver-dc (samba4).
Fail2ban find attackers with a regex matching the bad login and extract the ip from it. Of course with the reverse proxy, the log line is probably different
I am the guilty here, i made the reverse - proxy feature, we probably will have more and more issues like this. Fail2ban could be adapted to the reverse proxy case
Cc @dev_team
This is the documentation of fail2ban