From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from omta002.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) by sourceware.org (Postfix) with ESMTPS id E52AB3858D32 for ; Sun, 22 Jan 2023 19:24:37 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E52AB3858D32 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=Shaw.ca Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=shaw.ca Received: from shw-obgw-4001a.ext.cloudfilter.net ([10.228.9.142]) by cmsmtp with ESMTP id Jf7hpQYhDl2xSJfxFpfSEY; Sun, 22 Jan 2023 19:24:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=shaw.ca; s=s20180605; t=1674415477; bh=uzBQKCjbPhEl7wNjeMOm57iRiWCG31RG8C5y8KBOC5M=; h=Date:Reply-To:Subject:To:References:Cc:From:In-Reply-To; b=N5kVqVF+egcurQM1yqb1gJ95dBvMMraHrdOP4R0a3y5RX9yE6DX5cv67+ZdvUYZ8a lRQjp18NY43u/XcQ3neK+xbBYBVIuyT2l7T+fQ8NNSAYKtkNYyJdTS5PxK9dqHFZ0d PocVldcmT1fc0JYrQVxruiNBbL6R10z4E8Xf2tzip6qChJKNQfsIhkWZa0goy9lw+b xDNn+un2ESleyYdg6iGYCb1moM7q/cHZzR/b+KbCo/em3WVOX9AMfGqktct7c5UzX3 fD+pwQ0p4ot8iYOPCZz+Di/qyrujbjhx8hs/wbnfsRhdTP6xmO1IY4Jeib9PeVwXTr pdPpP+dFK1bdg== Received: from [10.0.0.5] ([184.64.124.72]) by cmsmtp with ESMTP id JfxEpfP7cHFsOJfxEpWOdo; Sun, 22 Jan 2023 19:24:37 +0000 X-Authority-Analysis: v=2.4 cv=XZqaca15 c=1 sm=1 tr=0 ts=63cd8d75 a=oHm12aVswOWz6TMtn9zYKg==:117 a=oHm12aVswOWz6TMtn9zYKg==:17 a=IkcTkHD0fZMA:10 a=w_pzkKWiAAAA:8 a=pwQImH5TsvjknzEehgIA:9 a=QEXdDO2ut3YA:10 a=1GC6jfdrRcYA:10 a=tMEb2zx2yS8A:10 a=daI9ojH3vpgA:10 a=rFA1MAFG28cA:10 a=sRI3_1zDfAgwuvI8zelB:22 Message-ID: <4cf463fc-38a2-0dd2-7bea-c7293abbd754@Shaw.ca> Date: Sun, 22 Jan 2023 12:24:36 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1 Reply-To: cygwin@cygwin.com Subject: Re: observation: masses of requests to LDAP Content-Language: en-CA To: cygwin@cygwin.com References: Cc: Tobias Wendorff From: Brian Inglis Organization: Inglis In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-CMAE-Envelope: MS4xfDEFbYy0FylZTkxTTtYTfzgt98cCLcZuOptqof/tRmlYE5UgPGkExVJ5bj/Fhr5IB7c89ofCGFvzx3hthupBdmhK/5XrVGAt4/upNgjssaFHJTB2zL5m xj+utU5O4+7rhrsjJsyXr+DSWPYqElLkpi4vVKxfokRN/j/maW3NnkgFywGJPY9yMV9xIyMopjZhyV9Lv3073xsbLy1O9mesm/0j795mqkaiprhYirT9OXmU X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-01-22 07:32, Tobias Wendorff via Cygwin wrote: > our IT department has informed me that masses of requests are being sent from my > computer to our two LDAP servers on port 389. After a detailed investigation, > the problem could be clearly traced back to "cygwin". That is required for Cygwin to emulate POSIX permissions and ACLs: see security and domain info in: /usr/share/doc/cygwin-doc/html/cygwin-ug-net/cygwin-ug-net.html /usr/share/doc/cygwin-doc/cygwin-ug-net.pdf or the equivalant online docs: https://cygwin.com/cygwin-ug-net.html https://cygwin.com/cygwin-ug-net/cygwin-ug-net.html https://cygwin.com/cygwin-ug-net/cygwin-ug-net.pdf https://cygwin.com/faq.html Your IT folks could contact peers at Aachen, Bochum, Dresden, Esslingen, FAU who provide Cygwin mirrors, probably use it in courses, and have experience with it; see: https://cygwin.com/mirrors.html > Firewall logs show that about any tool, even base tools "sort" or "less", > initiates a request to port 389 on our LDAP servers. Each process needs access to your credentials, groups, and memberships, and pulls them for domain accounts on domain members. > Sorry, I am _not_ going to release "cygcheck.out" to public, since it contains > sensitive information about the domain and its groups and memberships. It is acceptable to anonymize or summarize information in cygcheck output. In this case, counts of ids, groups, and memberships might help. > Even after reinstalling cygwin from another server, the problem still appears. > Could it be that this is part of an attack? Definitely not, this is normal behaviour. Your first step should be to run cygserver to cache SAM and AD info on each system using cygwin on domain members. Your second step should be to review /etc/nsswitch.conf settings for searching and possibly set: db_enum: cache local primary builtin or maybe: db_enum: cache local primary alltrusted or if connecting from home maybe: db_enum: cache local primary domain.tld Check the mainling list archives for previous posts about domain settings. -- Take care. Thanks, Brian Inglis Calgary, Alberta, Canada La perfection est atteinte Perfection is achieved non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut -- Antoine de Saint-Exupéry