-   Linux - Security (
-   -   Kill guest account's network access. (

Enochs 03-06-2013 03:41 PM

Kill guest account's network access.
I have a Red Hat Enterprise Linux file server (Samba) running on a network governed by a Windows Domain Controller.

When I run my security scan tool, It finds that there is a 'guest' account with an active log-in shell. I need to disable this account's access.
I need to kill a networked guest account.

This guest account is NOT a local account on the Linux server so it's not listed in passwd/shadow. This prevents the normal usermod -L, or passwd -l, methods of disabling/locking an account. chsh results in an error saying use ypchsh but ypchsh can't see the domain (not sure why).

The only "guest" account in Active Directory (AD) is disabled. I even renamed it to guestX and did a gpudate (no affect).

When I su - guest (using root) it logs me on as 'guest' and displays the message, "Found Windows ADS User: guest"

I tried to create a local 'guest' account (useradd) and then disable it but of course my system won't allow this because it already sees a guest account.

I tried userdel guest but it's not a local account so this fails as well.

Any suggestions would be greatly appreciated.

Kustom42 03-06-2013 04:48 PM

How are your systems using AD? Are you using pam_ldap? if so how are you binding? This could be your anonymous bind account to query the DC from pam_ldap.

Enochs 03-07-2013 08:30 AM

Using PAM
We are using samba with winbind.

Thank you for your help.

I was unaware there may be an anonymous bind account used by pam. If that's the case then I probably don't want to disable it. Do you have any idea how I could at least disable the accounts default shell? The scan tool is not flagging the fact that I have a guest account, it's complaining because the account has it's shell set to /bin/bash.

The other system accounts are all set to /sbin/nologin.

ypchsh command says that it can't change the shell because my "domain name is not set."
I typed: ypdomainname
System response: <none>

I typed: sysctl -w kernel.domainname=mydomain
SYStem response: kernel.domainname = mydomain

I typed: ypdomainname
System response: mydomain

Now when I run ypchsh it balks with a new complaint: Can't find the master ypserver: Internal NIS error

in the /etc/samba/smb.conf file:
changing the default login won't work because we need the other users to default to bash.
Instlling IDMU and then adding the following line to the global section of smb.conf sounds like it is the best solution if you have many systems to update: "winbind nss info = rfc2307"
I was about to do just that (Install IMDU and add "winbind nss info = rfc2307" to smb.conf file) when I saw another post where someone suggested the fix below.

***** UPDATE *****


getent passwd guest >> passwd

The 'useradd' command fails because the system sees that the guest account already exists but the 'getent' command gets the job done.

The 'getent' command is safer than attempting to manually add 'guest' to the local passwd file. The 'getent' command ensures that you get the correct user and group Ids and it also saw that my guest account had been renamed guestX in active directory. I changed the name to guestX (in Active Directory) in a vain attempt to make the guest account appear not to exist but samba already had a mapped it in its own db, therefore this had no affect. The 'getent' command saw the Active directory name (guestX) and samba name (guest mapped to system account 'nobody') and made the proper entry in the local passwd file.

Now that the 'getent' command has pulled all the correct settings into the passwd file, I have total control using the normal methods. I can now lock the account or in my case, simply change the login shell to /sbin/noligin. This made my vulnerability scanner (& me) happy!


All times are GMT -5. The time now is 02:14 AM.