Logfile worries
Anne Wilson
cannewilson at tiscali.co.uk
Mon Sep 18 17:49:09 UTC 2006
On Monday 18 September 2006 17:59, Jeff Vian wrote:
> On Mon, 2006-09-18 at 09:49 +0100, Anne Wilson wrote:
> > I have logwatch mailing me daily about activity. This morning the report
> > from this box has the following lines in the samba section:
> >
> > auth/auth_util.c:create_builtin_administrators(763)
> > create_builtin_administrators: Failed to create Administrators : 11
> > Time(s) auth/auth_util.c:create_builtin_users(729) create_builtin_users:
> > Failed to create Users : 11 Time(s)
> > auth/auth_util.c:create_local_nt_token(872) create_local_nt_token:
> > Failed to create BUILTIN\Administrators group! : 11 Time(s)
> > auth/auth_util.c:create_local_nt_token(899) create_local_nt_token:
> > Failed to create BUILTIN\Administrators group! : 11 Time(s)
> >
> > It is a fact that we have problems when trying to connect an XP laptop to
> > a linux share on this box. I often have to try several times before I
> > can get it to accept the password for that user, and this happened
> > yesterday. However, I have never before seen messages like the ones
> > listed here.
> >
> > Can someone please tell me what happened, according to those messages?
> > Should I be worried?
>
> I would be.
>
> It is not likely a threat unless it is open on the internet with samba,
> but definitely shows that the remote client connecting via samba is not
> properly configured. If you properly configure the client this would
> not be getting logged.
>
I'm not too happy, either.
> Even more of concern is why the client is trying to connect as
> Administrator. Are you running as administrator on that machine? If so
> there is plenty of risk on the client as well.
>
Yes. This is XP. Running as a non-administrator is so crippled as to be
useless, and realistically no windows-user is going to learn that there is
something equivalent to su - in fact I had not heard of it until this
morning, either.
The logfiles on this box (the one that reported) show that those messages are
related to the unsuccessful log-ins. That particular laptop is never used
outside the home, so that rules out many possibilities. It does, though,
show some peculiarities that I can't explain. I need to talk more about this
XP laptop if I'm to understand what's happening, so please bear with me.
My Network Places brings up many icons for shared directories on various boxes
on the LAN. Some of those icons refer to a server that is no longer there.
Before there can be any successful login it seems to be necessary to force a
re-scan of the LAN. I've no idea why the result of that isn't reflected next
time she tries to connect.
Yesterday, I was working on her laptop. I know I gave the correct username
and password, but it was rejected. Doubting for a moment, I tried another
password she uses but that also failed, twice, before the original password
was accepted. The other thing I noticed was that when I tried the correct
password it was simply rejected, whereas when I tried the alternative one the
screen blinked before offering the login dialogue (with fields filled in)
again.
This user is a cautious user, who wouldn't dream of using peer-to-peer or
visiting dodgy websites. She keeps her AV software up to date and scans
daily.
I can think of no way in which that laptop is configured differently to other
windows boxes on the LAN. Do you have anything specific in mind when you
talk about 'properly configured'?
Anne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060918/c54a0c2d/attachment-0001.sig>
More information about the fedora-list
mailing list