[Samba] Netatalk connection on Samba machine account - security breach?

Andreas K. Huettel Andreas.Huettel at Physik.Uni-Muenchen.DE
Tue Jun 4 03:04:02 GMT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[please cc to my address]

Dear Samba and Netatalk experts,

I've got a server running both samba 2.2.3a as PDC and netatalk (1.5pre7
as supplied by SuSE73). Samba machine accounts are added to /etc/passwd
automatically by the command

add user script = /usr/sbin/useradd -d /dev/null  -g 90 -s /bin/false -M %u

when a NT machine is added to the Windows domain. Now strangely I find in
the logfiles logins on the appletalk service using one of these machine
accounts (curlywurly$)! (see syslog below)

First thing I did was manually exclude the group "machines" (80) from any
atalk connection. Now, should I worry about what happened? How can I find
out more?

Jun  4 10:15:27 coke afpd[15109]: session from 2000.x:y on 2001.x:y
Jun  4 10:15:27 coke afpd[15109]: dhx login: curlywurly$
Jun  4 10:15:32 coke afpd[15110]: session from 2000.x:y on 2001.x:y
Jun  4 10:15:32 coke afpd[15110]: dhx login: curlywurly$
Jun  4 10:15:37 coke afpd[15109]: atp_rresp: Connection timed out
Jun  4 10:15:40 coke afpd[15111]: session from 2000.x:y on 2001.x:y
Jun  4 10:15:40 coke afpd[15111]: dhx login: curlywurly$
Jun  4 10:15:40 coke afpd[15111]: 0.04KB read, 5.18KB written
Jun  4 10:15:40 coke afpd[15111]: done
Jun  4 10:15:40 coke afpd[29643]: server_child[0] 15111 done
Jun  4 10:15:42 coke afpd[15110]: atp_rresp: Connection timed out
Jun  4 10:15:47 coke afpd[15109]: afp_die: asp_shutdown: Connection timed out
Jun  4 10:15:47 coke afpd[15109]: 0.12KB read, 5.18KB written
Jun  4 10:15:47 coke afpd[29643]: server_child[0] 15109 done
Jun  4 10:15:52 coke afpd[15110]: afp_die: asp_shutdown: Connection timed out
Jun  4 10:15:52 coke afpd[15110]: 0.12KB read, 5.18KB written

If you need any more information, please contact me.

kind regards, Andreas


- ---------------------------------------------------------------------
Dipl.-Phys. Andreas K. Huettel          tel. +49 89 2180 3349 (univ.)
Sektion Physik der LMU                  fax  +49 89 2180 2069 (univ.)
LS Prof. J.P. Kotthaus                                 huettel at lmu.de
Geschwister-Scholl-Platz 1                       andreas at akhuettel.de
80539 Muenchen                 andreas.huettel at physik.uni-muenchen.de
Germany                             http://www.akhuettel.de/research/
- ---------------------------------------------------------------------
Please use GNUPG or PGP for signed and encrypted email. My public key
can be found at  http://www.akhuettel.de/pgp_key.html
- ---------------------------------------------------------------------
Reason #135 why you can't find your system administrator: He joined a
cult practizing Windoze XP.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8/I+bL+gLs3iH94cRAud8AJ9znJpF6+Q/LwvFuuyfPX5isVztGACfcS//
Yy39BrKq9A0q4dXrZnjzpPY=
=y0UM
-----END PGP SIGNATURE-----






More information about the samba mailing list