Putting an “*” in username field brings up a list of all AD user accounts!!!!

[rkurczynski]

We have been using the golden triangle for about three years now. Just recently we had a security issue where users logged into an account they should not have been in. While observing the user with ARD we noticed he put an asterisk(*) in the Usename box, hit login and was quite surprised when a complete list of AD users appeared. We have tried speaking with reps from Apple, other companies and several mac-windows forums. I’m hoping someone can tell me there is a fix for this. The result lead to an arrest of that user. My superiors are not taking this lightly. Comments have even be made to let Macs be Macs and remove the AD plug-in. Any help or direction would be greatly appreciated.
Thanks
Bob

[rkurczynski]

Yes this is at the login window that the list appears, put an * in the username field and click log on and wait a few seconds.
Mac OS X versions 10.4.8-10.4.11 and 10.5.2. We researched a database of the account that was being used and it goes back over two years. We are pretty sure this has been a problem for a while, back then we were using 10.3 clients as well, have not verified on 10.3.x clients yet. Have not seen one it doesn’t act up on when the AD plug-in is being used. No I have not send in a security bug. Can you direct me where?
Thanks
Bob

[slb]

It does not happen on our AD network.
Are you sure it’s not a config issue on the back-end?

SB

[rkurczynski]

Josh and SLB,
Thank you both for posting replies. Josh, are you able to replicate this problem on your setup? SLB, are you using apples AD plug-in? Are you both using the golden triangle setup? If SLB is, hopefully we can find a difference between our configs. Thank you for any input.

[dom9inic]

Hi there,

I’ll add myself as getting the same behaviour, a whole list of AD users.

Setup:

Magic Triangle
10.4.11 ODM Server
AD 2000 environment
10.4.11 Client

Not a good thing.

[aaronevans]

Add us to the list also.

Magic triangle
Windows 2003 SP2 ADM
OS X 10.4.9 ODM
OS X 10.4.11 Client

[aaronevans]

[QUOTE][u]Quote by: MacTroll[/u][p]So… you’re seeing the whole list of users, but are you able to authenticate without a password as one of those users?[/p][/QUOTE]

Seeing a majority of AD users but not the whole list of AD accounts. I can’t authenticate without a password. Testing to see what determines the users in the list.

[rkurczynski]

We are not getting a TGT. If you do not put in a password, it does not let you in. As far as the list of “1000” users showing up, this is a setting in AD schema. We have changed that setting in the past so on Workgroup Manager we can view all users in our list. I feel this list showing up can be controlled with a line added to the active directory plug-in on the clients, however, I do not know how to modify. We are able to minimise the list down to two users only showing up, by modifing the “LDAPAdminLimits” setting to 1 on our Active Directory Server. Seemed like a great fix until group policy broke. I’m hoping someone can help me add this setting to the Active Directory plist on the actual OS X clients that will tell the client to list none. Please help. Thanks
Bob

[macmattias]

I get the same behavior with an AD2008 in the top and 10.5.2 bound clients.
But I cannot login without the users password.

And I cannot double click on a user to get in. I still need the password.

[Author]

Posts