(no subject)

Subject: (no subject)
From: Marc J. Miller (itlm019@mailbox.ucdavis.edu)
Date: Fri Nov 10 2000 - 06:22:11 EST

• Next message: Mike Fedyk: "Re: Integrating into existitng NT domain"
• Previous message: Rebmann: "help"
• Next in thread: Harald Wagener: "(no subject)"
• Maybe reply: Marc J. Miller: "(no subject)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I asked my department to help me with a log test (I'm building a log parser
which will generate statistics we need for reports to get our funding from
tax dollars). Some of them got a bit creative yesterday.

Nov 8 13:42:55 lm-linux2 afpd[27166]: ASIP session:548(2) from
169.237.151.144: 49176(0)
Nov 8 13:42:55 lm-linux2 afpd[27166]: dhx login: itlm081
Nov 8 13:42:55 lm-linux2 afpd[27166]: logout itlm081
Nov 8 13:42:55 lm-linux2 afpd[27166]: 0.10KB read, 0.12KB written
Nov 8 13:42:55 lm-linux2 afpd[26226]: server_child[1] 27166 done

At a glance, it probably looks pretty normal, so compare to this normal login:

Nov 8 14:56:03 lm-linux2 afpd[27255]: ASIP session:548(2) from
169.237.151.144: 49156(0)
Nov 8 14:56:03 lm-linux2 afpd[27255]: dhx login: itlm081
Nov 8 14:56:03 lm-linux2 afpd[27255]: login itlm081 (uid 1457, gid 20)
Nov 8 14:56:10 lm-linux2 afpd[27255]: logout itlm081
Nov 8 14:56:10 lm-linux2 afpd[27255]: 2.64KB read, 17.44KB written
Nov 8 14:56:10 lm-linux2 afpd[26226]: server_child[1] 27255 done

In short, the line "dhx login:" appears whenever a login is attempted. It
shows that the login data is being sent to the Diffie-Hellman eXchange UAM.
The "login itlm081" shows that itlm081 successfully logged in. Right below
that is the logout. In the first log segment above, there is a logout
without a login. I called him up and had him go through the same steps
today, but we couldn't reproduce it. I went looking for where afp_logout()
might be called by mistake & found that it only runs if the Mac client
tells it to run. If it wasn't for the "logout" statement, I'd think it was
a failed login plain & simple like this one:

Nov 8 13:42:31 lm-linux2 afpd[27160]: ASIP session:548(2) from
169.237.151.144: 49170(0)
Nov 8 13:42:31 lm-linux2 afpd[27160]: dhx login: itlm110
Nov 8 13:42:33 lm-linux2 afpd[27160]: 0.18KB read, 0.13KB written
Nov 8 13:42:33 lm-linux2 afpd[26226]: server_child[1] 27160 done

ideas?

============================================================
/\/\arc ._|. /\/\iller (itlm019@mailbox.ucdavis.edu)
Computer Room Consultant
Information Technology/Lab Management
============================================================
I can be contacted through the Communication Center link from
http://www.mother.com/~mjmiller/

• Next message: Mike Fedyk: "Re: Integrating into existitng NT domain"
• Previous message: Rebmann: "help"
• Next in thread: Harald Wagener: "(no subject)"
• Maybe reply: Marc J. Miller: "(no subject)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b28 : Wed Jan 17 2001 - 14:32:37 EST