[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Logfile worries



On Monday 18 September 2006 17:59, Jeff Vian wrote:
> On Mon, 2006-09-18 at 09:49 +0100, Anne Wilson wrote:
> > I have logwatch mailing me daily about activity.  This morning the report
> > from this box has the following lines in the samba section:
> >
> >  auth/auth_util.c:create_builtin_administrators(763)
> > create_builtin_administrators: Failed to create Administrators : 11
> > Time(s) auth/auth_util.c:create_builtin_users(729)  create_builtin_users:
> > Failed to create Users : 11 Time(s)
> >  auth/auth_util.c:create_local_nt_token(872)  create_local_nt_token:
> > Failed to create BUILTIN\Administrators group! : 11 Time(s)
> >  auth/auth_util.c:create_local_nt_token(899)  create_local_nt_token:
> > Failed to create BUILTIN\Administrators group! : 11 Time(s)
> >
> > It is a fact that we have problems when trying to connect an XP laptop to
> > a linux share on this box.  I often have to try several times before I
> > can get it to accept the password for that user, and this happened
> > yesterday. However, I have never before seen messages like the ones
> > listed here.
> >
> > Can someone please tell me what happened, according to those messages? 
> > Should I be worried?
>
> I would be.
>
> It is not likely a threat unless it is open on the internet with samba,
> but definitely shows that the remote client connecting via samba is not
> properly configured.  If you properly configure the client this would
> not be getting logged.
>
I'm not too happy, either.

> Even more of concern is why the client is trying to connect as
> Administrator.  Are you running as administrator on that machine?  If so
> there is plenty of risk on the client as well.
>
Yes.  This is XP.  Running as a non-administrator is so crippled as to be 
useless, and realistically no windows-user is going to learn that there is 
something equivalent to su - in fact I had not heard of it until this 
morning, either.

The logfiles on this box (the one that reported) show that those messages are 
related to the unsuccessful log-ins.  That particular laptop is never used 
outside the home, so that rules out many possibilities.  It does, though, 
show some peculiarities that I can't explain.  I need to talk more about this 
XP laptop if I'm to understand what's happening, so please bear with me.

My Network Places brings up many icons for shared directories on various boxes 
on the LAN.  Some of those icons refer to a server that is no longer there.  
Before there can be any successful login it seems to be necessary to force a 
re-scan of the LAN.  I've no idea why the result of that isn't reflected next 
time she tries to connect.

Yesterday, I was working on her laptop.  I know I gave the correct username 
and password, but it was rejected.  Doubting for a moment, I tried another 
password she uses but that also failed, twice, before the original password 
was accepted.  The other thing I noticed was that when I tried the correct 
password it was simply rejected, whereas when I tried the alternative one the 
screen blinked before offering the login dialogue (with fields filled in) 
again.

This user is a cautious user, who wouldn't dream of using peer-to-peer or 
visiting dodgy websites.  She keeps her AV software up to date and scans 
daily.

I can think of no way in which that laptop is configured differently to other 
windows boxes on the LAN.  Do you have anything specific in mind when you 
talk about 'properly configured'?

Anne

Attachment: pgp0jBRkGUn4i.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]