missing user name

missing user name

[Harris, Todd]

[-- Attachment #1.1: Type: text/plain, Size: 1129 bytes --]

I'm looking at a problem that has me really scratching my head.

I've got a rhel 5.4 system that's using likewise and active directory to authenticate users, at least ones that are not defined locally.  Locally defined users work just fine, but any user that is defined in the active directory server is showing up in events as "unknown(uid)" the uid appears to be filled out correctly, and if the user is defined locally as well as in active directory it works just fine, but that kind of defeats the purpose.  Also failed logins are showing up correctly, but I can't figure out what they have done to their system to cause this.  Can anyone give me a little direction on where I should look to determine what's actually going on.  I haven't been able to determine how the system actually resolves the user names.

Don't know if this is important but we are using the prelude plugin and where we notice the discrepancy is in the output from the prelude-manager, I have not looked to see if it's wrong in the aureords.

_______________________________
Todd Harris
Progeny Systems
Office Number: 703-368-6107 ext517



[-- Attachment #1.2: Type: text/html, Size: 1937 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

RE: missing user name

[Saunders, Thomas D. II]

[-- Attachment #1.1: Type: text/plain, Size: 1889 bytes --]

Are you using OpenLDAP to connect to MS AD servers?
 
Tom Saunders | SAIC
Senior Information Assurance & Security Engineer
phone: 540-653-0986 | fax 540-663-0640
mobile: 540-408-3087| email: SaundersT@saic.com <mailto:SaundersT@saic.com>  
SIPRnet: Thomas.D.Saunders@us.army.smil.mil <mailto:Thomas.D.Saunders@us.army.smil.mil>  
SIPRnet: Thomas.Saunders@navy.smil.mil <mailto:Thomas.Saunders@navy.smil.mil>  
 
Science Applications International Corporation
SAIC
16442 Commerce Drive
King George, VA  22485

www.saic.com <http://www.saic.com/> 
 

________________________________

From: linux-audit-bounces@redhat.com on behalf of Harris, Todd
Sent: Tue 7/31/2012 3:06 PM
To: linux-audit@redhat.com
Subject: missing user name


I'm looking at a problem that has me really scratching my head.
 
I've got a rhel 5.4 system that's using likewise and active directory to authenticate users, at least ones that are not defined locally.  Locally defined users work just fine, but any user that is defined in the active directory server is showing up in events as "unknown(uid)" the uid appears to be filled out correctly, and if the user is defined locally as well as in active directory it works just fine, but that kind of defeats the purpose.  Also failed logins are showing up correctly, but I can't figure out what they have done to their system to cause this.  Can anyone give me a little direction on where I should look to determine what's actually going on.  I haven't been able to determine how the system actually resolves the user names.
 
Don't know if this is important but we are using the prelude plugin and where we notice the discrepancy is in the output from the prelude-manager, I have not looked to see if it's wrong in the aureords.
 
_______________________________
Todd Harris
Progeny Systems
Office Number: 703-368-6107 ext517
 
 

[-- Attachment #1.2: Type: text/html, Size: 3620 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

RE: missing user name

[Harris, Todd]

[-- Attachment #1.1: Type: text/plain, Size: 2290 bytes --]

We are using a product called Likewise, which was purchased by beyond trust.  I don't know if I mentioned it before but the system works on the other rhel nodes we have.

From: Saunders, Thomas D. II [mailto:THOMAS.D.SAUNDERS.II@saic.com]
Sent: Tuesday, July 31, 2012 3:16 PM
To: Harris, Todd; linux-audit@redhat.com
Subject: RE: missing user name

Are you using OpenLDAP to connect to MS AD servers?

Tom Saunders | SAIC
Senior Information Assurance & Security Engineer
phone: 540-653-0986 | fax 540-663-0640
mobile: 540-408-3087| email: SaundersT@saic.com<mailto:SaundersT@saic.com>
SIPRnet: Thomas.D.Saunders@us.army.smil.mil<mailto:Thomas.D.Saunders@us.army.smil.mil>
SIPRnet: Thomas.Saunders@navy.smil.mil<mailto:Thomas.Saunders@navy.smil.mil>

Science Applications International Corporation
SAIC
16442 Commerce Drive
King George, VA  22485

www.saic.com<http://www.saic.com/>


________________________________
From: linux-audit-bounces@redhat.com<mailto:linux-audit-bounces@redhat.com> on behalf of Harris, Todd
Sent: Tue 7/31/2012 3:06 PM
To: linux-audit@redhat.com<mailto:linux-audit@redhat.com>
Subject: missing user name
I'm looking at a problem that has me really scratching my head.

I've got a rhel 5.4 system that's using likewise and active directory to authenticate users, at least ones that are not defined locally.  Locally defined users work just fine, but any user that is defined in the active directory server is showing up in events as "unknown(uid)" the uid appears to be filled out correctly, and if the user is defined locally as well as in active directory it works just fine, but that kind of defeats the purpose.  Also failed logins are showing up correctly, but I can't figure out what they have done to their system to cause this.  Can anyone give me a little direction on where I should look to determine what's actually going on.  I haven't been able to determine how the system actually resolves the user names.

Don't know if this is important but we are using the prelude plugin and where we notice the discrepancy is in the output from the prelude-manager, I have not looked to see if it's wrong in the aureords.

_______________________________
Todd Harris
Progeny Systems
Office Number: 703-368-6107 ext517



[-- Attachment #1.2: Type: text/html, Size: 8779 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: missing user name

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/31/2012 04:33 PM, Harris, Todd wrote:
> We are using a product called Likewise, which was purchased by beyond
> trust.  I don?t know if I mentioned it before but the system works on the
> other rhel nodes we have.
> 
> 
Any SELinux issues?
> 
> *From:*Saunders, Thomas D. II [mailto:THOMAS.D.SAUNDERS.II@saic.com] 
> *Sent:* Tuesday, July 31, 2012 3:16 PM *To:* Harris, Todd;
> linux-audit@redhat.com *Subject:* RE: missing user name
> 
> 
> 
> Are you using OpenLDAP to connect to MS AD servers?
> 
> 
> 
> Tom Saunders | SAIC Senior Information Assurance & Security Engineer phone:
> 540-653-0986 | fax 540-663-0640
> 
> mobile: 540-408-3087| email: SaundersT@saic.com
> <mailto:SaundersT@saic.com> SIPRnet: Thomas.D.Saunders@us.army.smil.mil 
> <mailto:Thomas.D.Saunders@us.army.smil.mil>
> 
> SIPRnet: Thomas.Saunders@navy.smil.mil
> <mailto:Thomas.Saunders@navy.smil.mil>
> 
> 
> 
> Science Applications International Corporation SAIC 16442 Commerce Drive 
> King George, VA  22485
> 
> www.saic.com <http://www.saic.com/>
> 
> 
> 
> 
> 
> --------------------------------------------------------------------------------
>
>  *From:*linux-audit-bounces@redhat.com
> <mailto:linux-audit-bounces@redhat.com> on behalf of Harris, Todd *Sent:*
> Tue 7/31/2012 3:06 PM *To:* linux-audit@redhat.com
> <mailto:linux-audit@redhat.com> *Subject:* missing user name
> 
> I?m looking at a problem that has me really scratching my head.
> 
> 
> 
> I?ve got a rhel 5.4 system that?s using likewise and active directory to 
> authenticate users, at least ones that are not defined locally.  Locally
> defined users work just fine, but any user that is defined in the active
> directory server is showing up in events as ?unknown(uid)? the uid appears
> to be filled out correctly, and if the user is defined locally as well as
> in active directory it works just fine, but that kind of defeats the
> purpose.  Also failed logins are showing up correctly, but I can?t figure
> out what they have done to their system to cause this.  Can anyone give me
> a little direction on where I should look to determine what?s actually
> going on.  I haven?t been able to determine how the system actually
> resolves the user names.
> 
> 
> 
> Don?t know if this is important but we are using the prelude plugin and
> where we notice the discrepancy is in the output from the prelude-manager,
> I have not looked to see if it?s wrong in the aureords.
> 
> 
> 
> _______________________________
> 
> Todd Harris
> 
> Progeny Systems
> 
> Office Number: 703-368-6107 ext517
> 
> 
> 
> 
> 
> 
> 
> -- Linux-audit mailing list Linux-audit@redhat.com 
> https://www.redhat.com/mailman/listinfo/linux-audit
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAZIU8ACgkQrlYvE4MpobPxqgCguRHT0pqj8ZkRzyOTGrOm9BNP
PM0AoKDWAtY8OVQqzJbcM9QGQJmrDfzc
=cCap
-----END PGP SIGNATURE-----

RE: missing user name

[Harris, Todd]

SELinux is not running on any of these systems.

-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh@redhat.com] 
Sent: Wednesday, August 01, 2012 8:30 AM
To: Harris, Todd
Cc: Saunders, Thomas D. II; linux-audit@redhat.com
Subject: Re: missing user name

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/31/2012 04:33 PM, Harris, Todd wrote:
> We are using a product called Likewise, which was purchased by beyond 
> trust.  I don?t know if I mentioned it before but the system works on 
> the other rhel nodes we have.
> 
> 
Any SELinux issues?
> 
> *From:*Saunders, Thomas D. II [mailto:THOMAS.D.SAUNDERS.II@saic.com]
> *Sent:* Tuesday, July 31, 2012 3:16 PM *To:* Harris, Todd; 
> linux-audit@redhat.com *Subject:* RE: missing user name
> 
> 
> 
> Are you using OpenLDAP to connect to MS AD servers?
> 
> 
> 
> Tom Saunders | SAIC Senior Information Assurance & Security Engineer phone:
> 540-653-0986 | fax 540-663-0640
> 
> mobile: 540-408-3087| email: SaundersT@saic.com 
> <mailto:SaundersT@saic.com> SIPRnet: 
> Thomas.D.Saunders@us.army.smil.mil
> <mailto:Thomas.D.Saunders@us.army.smil.mil>
> 
> SIPRnet: Thomas.Saunders@navy.smil.mil 
> <mailto:Thomas.Saunders@navy.smil.mil>
> 
> 
> 
> Science Applications International Corporation SAIC 16442 Commerce 
> Drive King George, VA  22485
> 
> www.saic.com <http://www.saic.com/>
> 
> 
> 
> 
> 
> ----------------------------------------------------------------------
> ----------
>
>  *From:*linux-audit-bounces@redhat.com
> <mailto:linux-audit-bounces@redhat.com> on behalf of Harris, Todd 
> *Sent:* Tue 7/31/2012 3:06 PM *To:* linux-audit@redhat.com 
> <mailto:linux-audit@redhat.com> *Subject:* missing user name
> 
> I?m looking at a problem that has me really scratching my head.
> 
> 
> 
> I?ve got a rhel 5.4 system that?s using likewise and active directory 
> to authenticate users, at least ones that are not defined locally.  
> Locally defined users work just fine, but any user that is defined in 
> the active directory server is showing up in events as ?unknown(uid)? 
> the uid appears to be filled out correctly, and if the user is defined 
> locally as well as in active directory it works just fine, but that 
> kind of defeats the purpose.  Also failed logins are showing up 
> correctly, but I can?t figure out what they have done to their system 
> to cause this.  Can anyone give me a little direction on where I 
> should look to determine what?s actually going on.  I haven?t been 
> able to determine how the system actually resolves the user names.
> 
> 
> 
> Don?t know if this is important but we are using the prelude plugin 
> and where we notice the discrepancy is in the output from the 
> prelude-manager, I have not looked to see if it?s wrong in the aureords.
> 
> 
> 
> _______________________________
> 
> Todd Harris
> 
> Progeny Systems
> 
> Office Number: 703-368-6107 ext517
> 
> 
> 
> 
> 
> 
> 
> -- Linux-audit mailing list Linux-audit@redhat.com 
> https://www.redhat.com/mailman/listinfo/linux-audit
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAZIU8ACgkQrlYvE4MpobPxqgCguRHT0pqj8ZkRzyOTGrOm9BNP
PM0AoKDWAtY8OVQqzJbcM9QGQJmrDfzc
=cCap
-----END PGP SIGNATURE-----

Re: missing user name

[Steve Grubb]

On Tuesday, July 31, 2012 03:06:44 PM Harris, Todd wrote:
> I'm looking at a problem that has me really scratching my head.
> 
> I've got a rhel 5.4 system that's using likewise and active directory to
> authenticate users, at least ones that are not defined locally.  Locally
> defined users work just fine, but any user that is defined in the active
> directory server is showing up in events as "unknown(uid)" the uid appears
> to be filled out correctly, and if the user is defined locally as well as
> in active directory it works just fine, but that kind of defeats the
> purpose.

Ausearch/report/libauparse all use the glibc function, getpwuid(). So, the 
names would need to be available via that function. That said, there are ways 
to hook it up so that it resolves with NSS or nscd. It would seem like more 
than just ausearch would have problems resolving user names since getpwnam and 
getpwuid are central to almost all Linux programs that display uid or names.


> Also failed logins are showing up correctly, 

This is because they are handled differently. They are in an acct field rather 
than auid field.

-Steve