Environment
Novell NetWare 5.1
Novell NetWare 6.0
Novell NFS Services 3.0
Novell Native File Access for Unix
Novell NetWare 6.0
Novell NFS Services 3.0
Novell Native File Access for Unix
Situation
Security Aspects of NFAUUser Object
Resolution
With the release of Novell NFS 3.0 SP3a, Novell Native File Access UNIX for NetWare 5.1 SP1 (also known as NFAP 1.0 SP1), and NetWare 6 SP1, the NFAUUser object was added to the NFS schema. This object is used internally to manage eDirectory operations on behalf of NFS / NFAU.
The NFAUUser object is created with a security equivalance to the admin user. However, restrictions placed on this object prevent it from being easily accessed as an admin equivalent. First, one of the properties on this object is that it has a network address restriction set, so that authentication can only be done from the IP address of the NetWare server. Also, when the NFAUUser object is created (during NFS / NFAU install) a dynamic algorithm is used to set the password.
So to authenticate as NFAUUser, one would need to attempt to login from the same IP address as the NetWare server, and know the password which was set during the install. As the password gets set dynamically, it would be a non-trivial effort to determine what it is.
The NFAUUser object is created with a security equivalance to the admin user. However, restrictions placed on this object prevent it from being easily accessed as an admin equivalent. First, one of the properties on this object is that it has a network address restriction set, so that authentication can only be done from the IP address of the NetWare server. Also, when the NFAUUser object is created (during NFS / NFAU install) a dynamic algorithm is used to set the password.
So to authenticate as NFAUUser, one would need to attempt to login from the same IP address as the NetWare server, and know the password which was set during the install. As the password gets set dynamically, it would be a non-trivial effort to determine what it is.
Additional Information
Formerly known as TID# 10080607