On Fri, Dec 30, 2011 at 3:59 PM, Camale?n <noelamac at gmail.com>
wrote:> On Fri, 30 Dec 2011 10:48:42 +0000, Bruno Martins wrote:
>
>> I am having this problem, and it gets logged every second:
>>
>> Dec 25 07:49:51 sputnik gnome-screensaver-dialog:
pam_unix(gnome-screensaver:auth): authentication failure; logname= uid=1000
euid=1000 tty=:0.0 ruser= rhost= user=joe
>> Dec 25 07:49:51 sputnik gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): getting password (0x00000388)
>> Dec 25 07:49:51 sputnik gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): pam_get_item returned a password
>> Dec 25 07:49:51 sputnik gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): request wbcLogonUser failed:
WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS:
NT_STATUS_NO_SUCH_USER, Error message was: No such user
>
> (...)
>
>> I have no idea of what can I do to solve this.
>
> Does user "joe" exist in the system? :-?
>
>> My setup includes winbind authentication. May this be related?
>
> It can be "indirectly "related but I don't think winbind is
generating
> those messages by its own... is it possible that the system can be
> accessed remotely (by means of VNC, SSH...)? The logs remember me some
> kind of password dictionary attack.
>
> Greetings,
>
> --
> Camale?n
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST at lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster at
lists.debian.org
> Archive: http://lists.debian.org/pan.2011.12.30.15.59.43 at gmail.com
>
User 'joe' exists as a local user, not as an AD user. This server is
accessed by SSH and also using xrdp.
My first thoughts were precisely that - an attack.
This is my nsswitch.conf file:
root at sputnik:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Best regards,
Bruno Martins
