X-Recipient: archive-cygwin@delorie.com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A3ED83858D3C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1674415493;
	bh=zRC+8J5xPyUHsbp2An1mBh0feRIG6DCc/TFwCuEzhaI=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=oCJ0Y5z7Fg1AmQ4GhQH+HrU4Xt9oNa3XfTR/SRyqav/D3fMD3f/v1NUo2Pk5YZ/ws
	 6uzBHC61wWfArHJcfSflN/Qt5zeKy018X4CYFXrHQ/pBWG0LWxzpcVSWC70eTx80d9
	 fABJ5hrvc9X6tb7syl91xAf3NeM3CYpvg2xDp5ck=
X-Original-To: cygwin@cygwin.com
Delivered-To: cygwin@cygwin.com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E52AB3858D32
X-Authority-Analysis: v=2.4 cv=XZqaca15 c=1 sm=1 tr=0 ts=63cd8d75
 a=oHm12aVswOWz6TMtn9zYKg==:117 a=oHm12aVswOWz6TMtn9zYKg==:17
 a=IkcTkHD0fZMA:10 a=w_pzkKWiAAAA:8 a=pwQImH5TsvjknzEehgIA:9 a=QEXdDO2ut3YA:10
 a=1GC6jfdrRcYA:10 a=tMEb2zx2yS8A:10 a=daI9ojH3vpgA:10 a=rFA1MAFG28cA:10
 a=sRI3_1zDfAgwuvI8zelB:22
Message-ID: <4cf463fc-38a2-0dd2-7bea-c7293abbd754@Shaw.ca>
Date: Sun, 22 Jan 2023 12:24:36 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.6.1
Subject: Re: observation: masses of requests to LDAP
Content-Language: en-CA
To: cygwin@cygwin.com
References: <ae73845c-b970-37ab-f429-65b15cf8540c@tu-dortmund.de>
Organization: Inglis
In-Reply-To: <ae73845c-b970-37ab-f429-65b15cf8540c@tu-dortmund.de>
X-CMAE-Envelope: MS4xfDEFbYy0FylZTkxTTtYTfzgt98cCLcZuOptqof/tRmlYE5UgPGkExVJ5bj/Fhr5IB7c89ofCGFvzx3hthupBdmhK/5XrVGAt4/upNgjssaFHJTB2zL5m
 xj+utU5O4+7rhrsjJsyXr+DSWPYqElLkpi4vVKxfokRN/j/maW3NnkgFywGJPY9yMV9xIyMopjZhyV9Lv3073xsbLy1O9mesm/0j795mqkaiprhYirT9OXmU
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, NICE_REPLY_A, SPF_HELO_NONE,
 SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: cygwin@cygwin.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-request@cygwin.com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=subscribe>
From: Brian Inglis via Cygwin <cygwin@cygwin.com>
Reply-To: cygwin@cygwin.com
Cc: Brian Inglis <Brian.Inglis@Shaw.ca>,
        Tobias Wendorff <tobias.wendorff@tu-dortmund.de>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: cygwin-bounces+archive-cygwin=delorie.com@cygwin.com
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie.com@cygwin.com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 30MJPITq022836

On 2023-01-22 07:32, Tobias Wendorff via Cygwin wrote:
> our IT department has informed me that masses of requests are being sent from my 
> computer to our two LDAP servers on port 389. After a detailed investigation, 
> the problem could be clearly traced back to "cygwin".

That is required for Cygwin to emulate POSIX permissions and ACLs: see security 
and domain info in:

/usr/share/doc/cygwin-doc/html/cygwin-ug-net/cygwin-ug-net.html
/usr/share/doc/cygwin-doc/cygwin-ug-net.pdf

or the equivalant online docs:

https://cygwin.com/cygwin-ug-net.html
https://cygwin.com/cygwin-ug-net/cygwin-ug-net.html
https://cygwin.com/cygwin-ug-net/cygwin-ug-net.pdf
https://cygwin.com/faq.html

Your IT folks could contact peers at Aachen, Bochum, Dresden, Esslingen, FAU who 
provide Cygwin mirrors, probably use it in courses, and have experience with it; 
see:
	https://cygwin.com/mirrors.html

> Firewall logs show that about any tool, even base tools "sort" or "less", 
> initiates a request to port 389 on our LDAP servers.

Each process needs access to your credentials, groups, and memberships, and 
pulls them for domain accounts on domain members.

> Sorry, I am _not_ going to release "cygcheck.out" to public, since it contains 
> sensitive information about the domain and its groups and memberships.

It is acceptable to anonymize or summarize information in cygcheck output.
In this case, counts of ids, groups, and memberships might help.

> Even after reinstalling cygwin from another server, the problem still appears. 
> Could it be that this is part of an attack?

Definitely not, this is normal behaviour.

Your first step should be to run cygserver to cache SAM and AD info on each 
system using cygwin on domain members.

Your second step should be to review /etc/nsswitch.conf settings for searching 
and possibly set:

	db_enum: cache local primary builtin

or maybe:

	db_enum: cache local primary alltrusted

or if connecting from home maybe:

	db_enum: cache local primary domain.tld

Check the mainling list archives for previous posts about domain settings.

-- 
Take care. Thanks, Brian Inglis			Calgary, Alberta, Canada

La perfection est atteinte			Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter	not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer	but when there is no more to cut
			-- Antoine de Saint-Exupéry

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple