LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-06-2013, 03:41 PM   #1
Enochs
Member
 
Registered: Jun 2007
Location: Georgia
Distribution: Fedora
Posts: 50

Rep: Reputation: 17
Kill guest account's network access.


I have a Red Hat Enterprise Linux file server (Samba) running on a network governed by a Windows Domain Controller.

When I run my security scan tool, It finds that there is a 'guest' account with an active log-in shell. I need to disable this account's access.
I need to kill a networked guest account.

This guest account is NOT a local account on the Linux server so it's not listed in passwd/shadow. This prevents the normal usermod -L, or passwd -l, methods of disabling/locking an account. chsh results in an error saying use ypchsh but ypchsh can't see the domain (not sure why).

The only "guest" account in Active Directory (AD) is disabled. I even renamed it to guestX and did a gpudate (no affect).

When I su - guest (using root) it logs me on as 'guest' and displays the message, "Found Windows ADS User: guest"

I tried to create a local 'guest' account (useradd) and then disable it but of course my system won't allow this because it already sees a guest account.

I tried userdel guest but it's not a local account so this fails as well.

Any suggestions would be greatly appreciated.

Last edited by Enochs; 03-07-2013 at 12:32 PM.
 
Old 03-06-2013, 04:48 PM   #2
Kustom42
Senior Member
 
Registered: Mar 2012
Distribution: Red Hat
Posts: 1,566

Rep: Reputation: 411Reputation: 411Reputation: 411Reputation: 411Reputation: 411
How are your systems using AD? Are you using pam_ldap? if so how are you binding? This could be your anonymous bind account to query the DC from pam_ldap.
 
1 members found this post helpful.
Old 03-07-2013, 08:30 AM   #3
Enochs
Member
 
Registered: Jun 2007
Location: Georgia
Distribution: Fedora
Posts: 50

Original Poster
Rep: Reputation: 17
Using PAM

We are using samba with winbind.

Thank you for your help.

I was unaware there may be an anonymous bind account used by pam. If that's the case then I probably don't want to disable it. Do you have any idea how I could at least disable the accounts default shell? The scan tool is not flagging the fact that I have a guest account, it's complaining because the account has it's shell set to /bin/bash.

The other system accounts are all set to /sbin/nologin.

ypchsh command says that it can't change the shell because my "domain name is not set."
I typed: ypdomainname
System response: <none>

I typed: sysctl -w kernel.domainname=mydomain
SYStem response: kernel.domainname = mydomain

I typed: ypdomainname
System response: mydomain

Now when I run ypchsh it balks with a new complaint: Can't find the master ypserver: Internal NIS error

in the /etc/samba/smb.conf file:
changing the default login won't work because we need the other users to default to bash.
Instlling IDMU and then adding the following line to the global section of smb.conf sounds like it is the best solution if you have many systems to update: "winbind nss info = rfc2307"
I was about to do just that (Install IMDU and add "winbind nss info = rfc2307" to smb.conf file) when I saw another post where someone suggested the fix below.

***** UPDATE *****

SOLVED!

getent passwd guest >> passwd

The 'useradd' command fails because the system sees that the guest account already exists but the 'getent' command gets the job done.

The 'getent' command is safer than attempting to manually add 'guest' to the local passwd file. The 'getent' command ensures that you get the correct user and group Ids and it also saw that my guest account had been renamed guestX in active directory. I changed the name to guestX (in Active Directory) in a vain attempt to make the guest account appear not to exist but samba already had a mapped it in its own db, therefore this had no affect. The 'getent' command saw the Active directory name (guestX) and samba name (guest mapped to system account 'nobody') and made the proper entry in the local passwd file.

Now that the 'getent' command has pulled all the correct settings into the passwd file, I have total control using the normal methods. I can now lock the account or in my case, simply change the login shell to /sbin/noligin. This made my vulnerability scanner (& me) happy!

Thanks,

Last edited by Enochs; 03-07-2013 at 12:33 PM.
 
1 members found this post helpful.
  


Reply

Tags
disable, guest, login, samba, shell


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to create a guest account Mike_P Linux - Newbie 6 04-27-2012 08:03 PM
root account can access the internet, the other account can only access google omizt Linux - Newbie 101 02-13-2012 02:22 PM
account with uid 77777777 , guest id , how do I block access ? jrandles Linux - Security 1 09-15-2009 08:07 PM
creating a guest account tardigrade Linux - General 2 02-04-2005 03:33 PM
Understanding the guest account calabash Linux - Networking 16 03-06-2004 02:49 AM


All times are GMT -5. The time now is 10:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration