Security Aspects of NFAUUser Object

  • 7001607
  • 10-Oct-2008
  • 26-Apr-2012

Environment

Novell NetWare 5.1
Novell NetWare 6.0
Novell NFS Services 3.0
Novell Native File Access for Unix

Situation

Security Aspects of NFAUUser Object

Resolution

With the release of Novell NFS 3.0 SP3a, Novell Native File Access UNIX for NetWare 5.1 SP1 (also known as NFAP 1.0 SP1), and NetWare 6 SP1, the NFAUUser object was added to the NFS schema. This object is used internally to manage eDirectory operations on behalf of NFS / NFAU.

The NFAUUser object is created with a security equivalance to the admin user. However, restrictions placed on this object prevent it from being easily accessed as an admin equivalent. First, one of the properties on this object is that it has a network address restriction set, so that authentication can only be done from the IP address of the NetWare server.  Also, when the NFAUUser object is created (during NFS / NFAU install) a dynamic algorithm is used to set the password. 

So to authenticate as NFAUUser, one would need to attempt to login from the same IP address as the NetWare server, and know the password which was set during the install. As the password gets set dynamically, it would be a non-trivial effort to determine what it is.

Additional Information

Formerly known as TID# 10080607

Feedback service temporarily unavailable. For content questions or problems, please contact Support.