From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 29474 invoked by alias); 31 Aug 2006 16:14:01 -0000 Received: (qmail 29464 invoked by uid 22791); 31 Aug 2006 16:14:00 -0000 X-Spam-Check-By: sourceware.org Received: from aquarius.hirmke.de (HELO calimero.vinschen.de) (217.91.18.234) by sourceware.org (qpsmtpd/0.31.1) with ESMTP; Thu, 31 Aug 2006 16:13:58 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id 1C6C6544001; Thu, 31 Aug 2006 18:13:55 +0200 (CEST) Date: Thu, 31 Aug 2006 16:43:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth) Message-ID: <20060831161354.GR20467@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <44F5FD93.1020503@asperasoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44F5FD93.1020503@asperasoft.com> User-Agent: Mutt/1.4.2i Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com X-SW-Source: 2006-08/txt/msg01086.txt.bz2 On Aug 30 14:05, Serban Simu wrote: > So my questions would be: > > (1) I did find a work around, but what is the explanation of this > problem and what is a good, solid work around? After some debugging I found that the explanation is that sshd drops all supplementary groups from the otherwise privileged user token. This results in a minimized user token when calling initgroups, which in turn calls NetUserGetGroups, which in turn returns "Access denied". The solution is to drop back to the original process token before calling NetUserGetGroups from initgroups. I've checked in a patch which should be available in the next developers snapshot from http://cygwin.com/snapshots/ A solid workaround if you're trying to get the same with the current Cygwin: Add all users which want to log in this way to the gr_mem field of the approrpiate groups in /etc/group. In your example case, it would look like this: Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:test1 Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/