X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding; q=dns; s=
	default; b=NYHhN8ieTwx1a5/g1+ReAJ1O734rhdmw1h6ciCOLRGZtdVgKukdea
	EAqM6x6C/AejjCEKyBqjxC+2Wb03ovE5J/uvI6QAo9Wqp2+kwxAsEimktlskHfx5
	f7wDp28vWy97Jdg8xfKcXrTlF6t5tJqjH9Wxc5kddCHT0YaPffO8M8=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding; s=default;
	 bh=KyI+8I/x4KmHEsYXWLN46jgHU0s=; b=rcCQOS0prniidgJ//9rL1/jVkbAs
	6EXOwqbN6/2CrkZy2RcTY67g8c9sujAtAz72HwmNK15j5Q1ALt6c0CKGMhRVQQQf
	AbpEeSMpX/+F6M0V4eLlgN3FcPbwcdYU811POsEoe0JNZpM+q7BisvNGrP2mcCEV
	hNRvOk8XPJ2UeCk=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-0.9 required=5.0 tests=BAYES_00,KAM_LAZY_DOMAIN_SECURITY autolearn=no version=3.3.2 spammy=H*Ad:D*gov, H*r:Unknown, our, initiated
X-HELO: blaine.gmane.org
To: cygwin AT cygwin DOT com
From: Andrew Schulman <schulman DOT andrew AT epa DOT gov>
Subject: Re: thousands of NTLM requests per day
Date: Fri, 03 Mar 2017 09:50:11 -0500
Lines: 26
Message-ID: <hd0jbc1eh0mfu65gijkhjntau70oh4ajvf@4ax.com>
References: <bi4bbc1qpuhhp2pquc9ui5kfp74jj9n42b AT 4ax DOT com> <1436100995 DOT 20170228193004 AT yandex DOT ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Archive: encrypt
X-IsSubscribed: yes

> Greetings, Andrew Schulman!
> 
> > I got a call from our domain admins, asking me if I knew why my Windows 7
> > host would be sending many thousands of NTLMv1 authentication requests per
> > day. I don't know, and we're still trying to find out which application is
> > doing that, but here's what I wonder:
> 
> > Could Cygwin be responsible for the authentication requests? I wonder about
> > this because Cygwin now queries Windows for user and group information that
> > used to be kept statically in /etc/passwd and /etc/group.
> 
> Do you use cygserver ? If not, try to set it up, it should help with domain
> information caching. If the problem you observe is caused by Cygwin activity,
> you should see a decrease in such requests.

Thanks for the suggestion, Andrey. I'll keep it in mind for next time.

For the archive, this problem was unrelated to Cygwin. Jeffrey Altman answered
offline that "NTLM requests will be sent from the svchost.exe service when a
remote desktop connection is initiated." So I looked into the Nomachine NX
service that was running on my host, and found that it was responsible. I
disabled the service and the requests stopped.

So, not a Cygwin problem. Sorry for the noise, and thanks for the help.

Andrew


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple