On Monday 18 September 2006 17:59, Jeff Vian wrote: > On Mon, 2006-09-18 at 09:49 +0100, Anne Wilson wrote: > > I have logwatch mailing me daily about activity. This morning the report > > from this box has the following lines in the samba section: > > > > auth/auth_util.c:create_builtin_administrators(763) > > create_builtin_administrators: Failed to create Administrators : 11 > > Time(s) auth/auth_util.c:create_builtin_users(729) create_builtin_users: > > Failed to create Users : 11 Time(s) > > auth/auth_util.c:create_local_nt_token(872) create_local_nt_token: > > Failed to create BUILTIN\Administrators group! : 11 Time(s) > > auth/auth_util.c:create_local_nt_token(899) create_local_nt_token: > > Failed to create BUILTIN\Administrators group! : 11 Time(s) > > > > It is a fact that we have problems when trying to connect an XP laptop to > > a linux share on this box. I often have to try several times before I > > can get it to accept the password for that user, and this happened > > yesterday. However, I have never before seen messages like the ones > > listed here. > > > > Can someone please tell me what happened, according to those messages? > > Should I be worried? > > I would be. > > It is not likely a threat unless it is open on the internet with samba, > but definitely shows that the remote client connecting via samba is not > properly configured. If you properly configure the client this would > not be getting logged. > I'm not too happy, either. > Even more of concern is why the client is trying to connect as > Administrator. Are you running as administrator on that machine? If so > there is plenty of risk on the client as well. > Yes. This is XP. Running as a non-administrator is so crippled as to be useless, and realistically no windows-user is going to learn that there is something equivalent to su - in fact I had not heard of it until this morning, either. The logfiles on this box (the one that reported) show that those messages are related to the unsuccessful log-ins. That particular laptop is never used outside the home, so that rules out many possibilities. It does, though, show some peculiarities that I can't explain. I need to talk more about this XP laptop if I'm to understand what's happening, so please bear with me. My Network Places brings up many icons for shared directories on various boxes on the LAN. Some of those icons refer to a server that is no longer there. Before there can be any successful login it seems to be necessary to force a re-scan of the LAN. I've no idea why the result of that isn't reflected next time she tries to connect. Yesterday, I was working on her laptop. I know I gave the correct username and password, but it was rejected. Doubting for a moment, I tried another password she uses but that also failed, twice, before the original password was accepted. The other thing I noticed was that when I tried the correct password it was simply rejected, whereas when I tried the alternative one the screen blinked before offering the login dialogue (with fields filled in) again. This user is a cautious user, who wouldn't dream of using peer-to-peer or visiting dodgy websites. She keeps her AV software up to date and scans daily. I can think of no way in which that laptop is configured differently to other windows boxes on the LAN. Do you have anything specific in mind when you talk about 'properly configured'? Anne
Attachment:
pgpG7Mn1uEQLJ.pgp
Description: PGP signature
