From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 90302 invoked by alias); 3 Mar 2017 14:50:37 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 90168 invoked by uid 89); 3 Mar 2017 14:50:33 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.9 required=5.0 tests=BAYES_00,KAM_LAZY_DOMAIN_SECURITY autolearn=no version=3.3.2 spammy=H*Ad:D*gov, H*r:Unknown, our, initiated X-HELO: blaine.gmane.org Received: from Unknown (HELO blaine.gmane.org) (195.159.176.226) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 03 Mar 2017 14:50:32 +0000 Received: from list by blaine.gmane.org with local (Exim 4.84_2) (envelope-from ) id 1cjoX5-00031m-3o for cygwin@cygwin.com; Fri, 03 Mar 2017 15:50:11 +0100 To: cygwin@cygwin.com From: Andrew Schulman Subject: Re: thousands of NTLM requests per day Date: Fri, 03 Mar 2017 14:50:00 -0000 Message-ID: References: <1436100995.20170228193004@yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Archive: encrypt X-IsSubscribed: yes X-SW-Source: 2017-03/txt/msg00052.txt.bz2 > Greetings, Andrew Schulman! > > > I got a call from our domain admins, asking me if I knew why my Windows 7 > > host would be sending many thousands of NTLMv1 authentication requests per > > day. I don't know, and we're still trying to find out which application is > > doing that, but here's what I wonder: > > > Could Cygwin be responsible for the authentication requests? I wonder about > > this because Cygwin now queries Windows for user and group information that > > used to be kept statically in /etc/passwd and /etc/group. > > Do you use cygserver ? If not, try to set it up, it should help with domain > information caching. If the problem you observe is caused by Cygwin activity, > you should see a decrease in such requests. Thanks for the suggestion, Andrey. I'll keep it in mind for next time. For the archive, this problem was unrelated to Cygwin. Jeffrey Altman answered offline that "NTLM requests will be sent from the svchost.exe service when a remote desktop connection is initiated." So I looked into the Nomachine NX service that was running on my host, and found that it was responsible. I disabled the service and the requests stopped. So, not a Cygwin problem. Sorry for the noise, and thanks for the help. Andrew -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple