From: Brian Inglis <Brian.Inglis@Shaw.ca>
To: cygwin@cygwin.com
Cc: Tobias Wendorff <tobias.wendorff@tu-dortmund.de>
Subject: Re: observation: masses of requests to LDAP
Date: Sun, 22 Jan 2023 12:24:36 -0700 [thread overview]
Message-ID: <4cf463fc-38a2-0dd2-7bea-c7293abbd754@Shaw.ca> (raw)
In-Reply-To: <ae73845c-b970-37ab-f429-65b15cf8540c@tu-dortmund.de>
On 2023-01-22 07:32, Tobias Wendorff via Cygwin wrote:
> our IT department has informed me that masses of requests are being sent from my
> computer to our two LDAP servers on port 389. After a detailed investigation,
> the problem could be clearly traced back to "cygwin".
That is required for Cygwin to emulate POSIX permissions and ACLs: see security
and domain info in:
/usr/share/doc/cygwin-doc/html/cygwin-ug-net/cygwin-ug-net.html
/usr/share/doc/cygwin-doc/cygwin-ug-net.pdf
or the equivalant online docs:
https://cygwin.com/cygwin-ug-net.html
https://cygwin.com/cygwin-ug-net/cygwin-ug-net.html
https://cygwin.com/cygwin-ug-net/cygwin-ug-net.pdf
https://cygwin.com/faq.html
Your IT folks could contact peers at Aachen, Bochum, Dresden, Esslingen, FAU who
provide Cygwin mirrors, probably use it in courses, and have experience with it;
see:
https://cygwin.com/mirrors.html
> Firewall logs show that about any tool, even base tools "sort" or "less",
> initiates a request to port 389 on our LDAP servers.
Each process needs access to your credentials, groups, and memberships, and
pulls them for domain accounts on domain members.
> Sorry, I am _not_ going to release "cygcheck.out" to public, since it contains
> sensitive information about the domain and its groups and memberships.
It is acceptable to anonymize or summarize information in cygcheck output.
In this case, counts of ids, groups, and memberships might help.
> Even after reinstalling cygwin from another server, the problem still appears.
> Could it be that this is part of an attack?
Definitely not, this is normal behaviour.
Your first step should be to run cygserver to cache SAM and AD info on each
system using cygwin on domain members.
Your second step should be to review /etc/nsswitch.conf settings for searching
and possibly set:
db_enum: cache local primary builtin
or maybe:
db_enum: cache local primary alltrusted
or if connecting from home maybe:
db_enum: cache local primary domain.tld
Check the mainling list archives for previous posts about domain settings.
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut
-- Antoine de Saint-Exupéry
next prev parent reply other threads:[~2023-01-22 19:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-22 14:32 Tobias Wendorff
2023-01-22 19:24 ` Brian Inglis [this message]
2023-01-22 19:26 ` Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4cf463fc-38a2-0dd2-7bea-c7293abbd754@Shaw.ca \
--to=brian.inglis@shaw.ca \
--cc=cygwin@cygwin.com \
--cc=tobias.wendorff@tu-dortmund.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).