samba - Jun 2002 - Netatalk connection on Samba machine account - security breach?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[please cc to my address]

Dear Samba and Netatalk experts,

I've got a server running both samba 2.2.3a as PDC and netatalk (1.5pre7
as supplied by SuSE73). Samba machine accounts are added to /etc/passwd
automatically by the command

add user script = /usr/sbin/useradd -d /dev/null  -g 90 -s /bin/false -M %u

when a NT machine is added to the Windows domain. Now strangely I find in
the logfiles logins on the appletalk service using one of these machine
accounts (curlywurly$)! (see syslog below)

First thing I did was manually exclude the group "machines" (80) from
any
atalk connection. Now, should I worry about what happened? How can I find
out more?

Jun  4 10:15:27 coke afpd[15109]: session from 2000.x:y on 2001.x:y
Jun  4 10:15:27 coke afpd[15109]: dhx login: curlywurly$
Jun  4 10:15:32 coke afpd[15110]: session from 2000.x:y on 2001.x:y
Jun  4 10:15:32 coke afpd[15110]: dhx login: curlywurly$
Jun  4 10:15:37 coke afpd[15109]: atp_rresp: Connection timed out
Jun  4 10:15:40 coke afpd[15111]: session from 2000.x:y on 2001.x:y
Jun  4 10:15:40 coke afpd[15111]: dhx login: curlywurly$
Jun  4 10:15:40 coke afpd[15111]: 0.04KB read, 5.18KB written
Jun  4 10:15:40 coke afpd[15111]: done
Jun  4 10:15:40 coke afpd[29643]: server_child[0] 15111 done
Jun  4 10:15:42 coke afpd[15110]: atp_rresp: Connection timed out
Jun  4 10:15:47 coke afpd[15109]: afp_die: asp_shutdown: Connection timed out
Jun  4 10:15:47 coke afpd[15109]: 0.12KB read, 5.18KB written
Jun  4 10:15:47 coke afpd[29643]: server_child[0] 15109 done
Jun  4 10:15:52 coke afpd[15110]: afp_die: asp_shutdown: Connection timed out
Jun  4 10:15:52 coke afpd[15110]: 0.12KB read, 5.18KB written

If you need any more information, please contact me.

kind regards, Andreas


- ---------------------------------------------------------------------
Dipl.-Phys. Andreas K. Huettel          tel. +49 89 2180 3349 (univ.)
Sektion Physik der LMU                  fax  +49 89 2180 2069 (univ.)
LS Prof. J.P. Kotthaus                                 huettel@lmu.de
Geschwister-Scholl-Platz 1                       andreas@akhuettel.de
80539 Muenchen                 andreas.huettel@physik.uni-muenchen.de
Germany                             http://www.akhuettel.de/research/
- ---------------------------------------------------------------------
Please use GNUPG or PGP for signed and encrypted email. My public key
can be found at  http://www.akhuettel.de/pgp_key.html
- ---------------------------------------------------------------------
Reason #135 why you can't find your system administrator: He joined a
cult practizing Windoze XP.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8/I+bL+gLs3iH94cRAud8AJ9znJpF6+Q/LwvFuuyfPX5isVztGACfcS//
Yy39BrKq9A0q4dXrZnjzpPY=y0UM
-----END PGP SIGNATURE-----

am 04.06.2002 11:59 Uhr schrieb Andreas K. Huettel:
> Now strangely I find in the logfiles logins on the appletalk service using
one
> of these machine accounts (curlywurly$)! (see syslog below)
There were 3 attempts to fetch the volume list from the netatalk server
(PIDs 15109, 15110 and 15111) that used the login name "curlywurly$"
but
didn't supplied a correct password.

The connection attempts has been established over AppleTalk (do you allow
AFP over TCP connections, too? -- compare with your afpd.conf settings) and
the AFP client was capable of the newest User Authentication Method DHX.
> First thing I did was manually exclude the group "machines" (80)
from any
> atalk connection.
I believe, you mean afp connection? AppleTalk itself isn't that easy to
filter ;-)
> Now, should I worry about what happened?
I don't think so. Maybe on one of the PCs one of the students installed
PCMacLAN (an AppleTalk-capable AFP-client and -server) and played a bit
around in your LAN, trying to connect to different AFP servers)
> How can I find out more?
Run a 'nbplkup' on your linux box and search for occurences of the given
net.node combination (2000.x in your examples). The net range of the client
let me believe, that you have AppleTalk routing activated. In this case, you
must first find out, in which zone you should search for, or you just walk
thru all the zones available ;-)

#!/bin/sh
for zone in `getzones`
do
        echo "Search for devices in zone \"$zone\":"
        nbplkup "@$zone"
        echo
done
exit 0

If you find the machine, then run either 'ServerInfo' on a Macintosh or
asip-status.pl to examine whether it is also an AFP server and will give you
it's TCP/IP address as an answer to your FPGetSrvrInfo request:

    <http://www.macula.se/serverinfo/index.htm>
    <http://users.phg-online.de/tk/asip-status.pl.tgz>

Regards,

Thomas, who recommends upgrading to netatalk 1.5.3.1 -->
'semi-official'
SuSE-RPMs available at <ftp://ftp.suse.com/pub/people/olh/netatalk/1.5.0/>