browser issue? hacking issue? HHEELLPP!!!

Thu Nov 15 14:00:40 GMT 2001

I'm talking out my ass here, but here it goes anyway.

As I understand it there are certain connections that are made between smb
systems that use the guest account. Like listing machines in the workgroup (
domain listing I think uses a validated user id, as long as the client is
Samba, WinNT, or Win2000.) You might check your smb.conf there may be a line
called "guest = nobody" or similar. Check if your Linux/Unix account for
nobody exists. When you do a `testparm` it should output the entire
taken-for-granted smb.conf look at this for the guest = xxx line. Make sure
that user exists.

Ok, there was my tw0 cents worth.

		Aaron Meyer  LNXRLZ, MSSKS, 2kBLWS

-----Original Message-----
From: Tony Ricker [mailto:rickera2 at SLU.EDU]
Sent: Thursday, November 15, 2001 2:16 PM
To: Samba NT-Dom
Subject: browser issue? hacking issue? HHEELLPP!!!

All,
    I have a question that I think I narrowed down the the issue, but
still have not seen the answer. In the logs, I see the following....

Snip.....
Oct 29 18:32:59 sifl smbd[8811]:   authorise_login: rejected invalid
user nobody
Oct 29 18:32:59 sifl smbd[8811]:   authorise_login: rejected invalid
user nobody
Oct 29 18:44:59 sifl smbd[8814]:   authorise_login: rejected invalid
user nobody
Oct 29 18:44:59 sifl smbd[8814]:   authorise_login: rejected invalid
user nobody
Oct 29 18:56:59 sifl smbd[8817]:   authorise_login: rejected invalid
user nobody
Oct 29 18:56:59 sifl smbd[8817]:   authorise_login: rejected invalid
user nobody
.....End snip

Know that this happens pretty much every hour of every day, with some
thrown in at odd times. Notice that these are 12 minutes apart, which
had me wondering. After looking
into it, I found out that every 12 minutes a master browser will send a
server announcement every 12 minutes for (3) 12 minute periods. Thinking
harder... But I still have no
ideas as to what the user nobody is trying to authenticate. In ny
smb.conf (2.2.2 on Redhat 7.1) here is the relative info....

preferred master=yes
master browser=yes
local master=yes
domain master=yes
domain logons=yes

Anyone have this issue before? If so, any ideas as to what is happening?
I my research, I have found (correct if I am wrong) that the user nobody
is used if a user does no
authenticate correctly, and samba will try and use the nobody account,
also if a share is double clicked in network 'hood, it will try and
authenticate using the user nobody. I
am at a lost as to what is happening and could use any and all
help/damnations. If anyone needs more info, please let me know.

Cheers,

Tony
-------------------------------
Tony Ricker
Technology Coordinator
SLUCare - P.M.O.
St. Louis University
Phone:  314.977.6844
E-mail: rickera2 at slu.edu
-------------------------------
"In the beginners mind, there
are many possibilities. In the
experts mind, there are few"
- Shunryu Suzuki
-------------------------------
"Think Different"

--
-------------------------------
Tony Ricker
Technology Coordinator
SLUCare - P.M.O.
St. Louis University
Phone:  314.977.6844
E-mail: rickera2 at slu.edu
-------------------------------
"In the beginners mind, there
are many possibilities. In the
experts mind, there are few"
- Shunryu Suzuki
-------------------------------
"Think Different"