* 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)
@ 2006-08-30 21:55 Serban Simu
2006-08-30 22:12 ` Larry Hall (Cygwin)
2006-08-31 16:43 ` Corinna Vinschen
0 siblings, 2 replies; 7+ messages in thread
From: Serban Simu @ 2006-08-30 21:55 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 2302 bytes --]
I did notice a number of postings around this subject, but couldn't see
a resolution (Corinna answered a Feb '06 posting by Dave Perdue that the
problem should be fixed in 1.5.20, which is why I'm reposting for 1.5.21).
I am exclusively using password auth (and am aware of the pubkey auth
limitations).
The basic setup is a Win 2003 R2 standard server, member of a domain
(machine name is SM2WIN2003 and domain is OFFICE). Installed 1.5.21 and
ran ssh-host-config. All goes well and I have sshd service running as
local user sshd_server.
Then ran mkpasswd and mkgroup:
mkpasswd -l > /etc/passwd
mkpasswd -d >> /etc/passwd (I only have one domain so this is same
as mkpasswd -d OFFICE)
mkgroup -l > /etc/group
mkgroup -d >> /etc/group
If I ssh as a local user "local1", windows whoami returns sm2win2003\local1
If I ssh as domain user "test1", windows whoami returns
sm2win2003\sshd_server (BAD)
If I strip the /etc/group file to only:
SYSTEM:S-1-5-18:18:
None:S-1-5-21-3712540747-3723856708-2352634044-513:513:
Domain Users:S-1-5-21-4293257363-1756470469-1603820055-513:10513:
Then ssh as domain user "test1", windows whoami returns office\test1
(GOOD)
Now, I tried adding the minimum possible to /etc/group to create the
problem, so if I just add one line:
SYSTEM:S-1-5-18:18:
None:S-1-5-21-3712540747-3723856708-2352634044-513:513:
Domain Users:S-1-5-21-4293257363-1756470469-1603820055-513:10513:
Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:
Then ssh as domain user "test1", windows whoami returns
sm2win2003\sshd_server (BAD)
My domain user test1 is a member of domain group Test Users.
So my questions would be:
(1) I did find a work around, but what is the explanation of this
problem and what is a good, solid work around?
(2) Is there a way and a plan to straighten this behavior, and maybe
document the usage in Win 2003 domain environments (I'm assuming that
most people would be interested in accessing network resources in Win
2003 domains, which is why this is a problem in the first place)
Also, I believe that I didn't have this problem on older Win 2003
(before R2), but I no longer have a test setup to confirm it.
Attached is the full "whoami /all" output and cygcheck.out.
Thanks,
Serban Simu
[-- Attachment #2: whoami.out --]
[-- Type: text/plain, Size: 4936 bytes --]
#####################################
# LOGIN AS LOCAL USER local1 #
#####################################
C:\>ssh local1@192.168.3.54
local1@192.168.3.54's password:
local1@sm2win2003 ~$ C:/windows/system32/whoami /all
USER INFORMATION
----------------
User Name SID
================= ==============================================
sm2win2003\local1 S-1-5-21-3712540747-3723856708-2352634044-1009
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ======================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
local1@sm2win2003 ~
$ exit
logout
Connection to 192.168.3.54 closed.
#####################################
# LOGIN AS DOMAIN USER test1 #
#####################################
C:\>ssh test1@192.168.3.54
test1@192.168.3.54's password:
Last login: Wed Aug 30 11:43:21 2006 from 192.168.1.12
test1@sm2win2003 ~$ c:/windows/system32/whoami /all
USER INFORMATION
----------------
User Name SID
====================== ==============================================
sm2win2003\sshd_server S-1-5-21-4293257363-1756470469-1603820055-1125
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeSystemtimePrivilege Change the system time Enabled
SeShutdownPrivilege Shut down the system Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
test1@sm2win2003 ~
$ exit
logout
Connection to 192.168.3.54 closed.
[-- Attachment #3: cygcheck.out --]
[-- Type: text/plain, Size: 13870 bytes --]
Cygwin Configuration Diagnostics
Current System Time: Wed Aug 30 12:47:28 2006
Windows 2003 Server Ver 5.2 Build 3790 Service Pack 1
Path: C:\cygwin\usr\local\bin
C:\cygwin\bin
C:\cygwin\bin
C:\cygwin\usr\X11R6\bin
c:\Perl\bin\
c:\WINDOWS\system32
c:\WINDOWS
c:\WINDOWS\System32\Wbem
c:\Program Files\MySQL\MySQL Server 4.1\bin
Output from C:\cygwin\bin\id.exe (nontsec)
UID: 10500(Administrator) GID: 10513(Domain Users)
544(Administrators) 545(Users)
10512(Domain Admins) 10513(Domain Users)
10519(Enterprise Admins) 10520(Group Policy Creator Owners)
10518(Schema Admins)
Output from C:\cygwin\bin\id.exe (ntsec)
UID: 10500(Administrator) GID: 10513(Domain Users)
544(Administrators) 545(Users)
10512(Domain Admins) 10513(Domain Users)
10519(Enterprise Admins) 10520(Group Policy Creator Owners)
10518(Schema Admins)
SysDir: C:\WINDOWS\system32
WinDir: C:\WINDOWS
USER = 'Administrator'
PWD = '/cygdrive/c/Documents and Settings/Administrator/Desktop'
HOME = '/home/Administrator'
MAKE_MODE = 'unix'
HOMEPATH = '\Documents and Settings\Administrator.OFFICE'
MANPATH = '/usr/local/man:/usr/share/man:/usr/man::/usr/ssl/man'
APPDATA = 'C:\Documents and Settings\Administrator.OFFICE\Application Data'
HOSTNAME = 'sm2win2003'
TERM = 'cygwin'
PROCESSOR_IDENTIFIER = 'x86 Family 15 Model 4 Stepping 8, GenuineIntel'
WINDIR = 'C:\WINDOWS'
OLDPWD = '/cygdrive/c/Documents and Settings/Administrator'
USERDOMAIN = 'OFFICE'
OS = 'Windows_NT'
ALLUSERSPROFILE = 'C:\Documents and Settings\All Users'
TEMP = '/cygdrive/c/DOCUME~1/ADMINI~1.OFF/LOCALS~1/Temp'
COMMONPROGRAMFILES = 'C:\Program Files\Common Files'
USERNAME = 'administrator'
CLUSTERLOG = 'C:\WINDOWS\Cluster\cluster.log'
PROCESSOR_LEVEL = '15'
FP_NO_HOST_CHECK = 'NO'
SYSTEMDRIVE = 'C:'
USERPROFILE = 'C:\Documents and Settings\Administrator.OFFICE'
PS1 = '\[\e]0;\w\a\]\n\[\e[32m\]\u@\h \[\e[33m\]\w\[\e[0m\]\n\$ '
LOGONSERVER = '\\WAA'
PROCESSOR_ARCHITECTURE = 'x86'
!C: = 'C:\cygwin\bin'
SHLVL = '1'
USERDNSDOMAIN = 'OFFICE.ASPERASOFT.COM'
PATHEXT = '.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH'
HOMEDRIVE = 'C:'
PROMPT = '$P$G'
COMSPEC = 'C:\WINDOWS\system32\cmd.exe'
TMP = '/cygdrive/c/DOCUME~1/ADMINI~1.OFF/LOCALS~1/Temp'
SYSTEMROOT = 'C:\WINDOWS'
CVS_RSH = '/bin/ssh'
PROCESSOR_REVISION = '0408'
INFOPATH = '/usr/local/info:/usr/share/info:/usr/info:'
PROGRAMFILES = 'C:\Program Files'
NUMBER_OF_PROCESSORS = '1'
SESSIONNAME = 'Console'
COMPUTERNAME = 'SM2WIN2003'
_ = '/usr/bin/cygcheck'
POSIXLY_CORRECT = '1'
HKEY_CURRENT_USER\Software\Cygnus Solutions
HKEY_CURRENT_USER\Software\Cygnus Solutions\Cygwin
HKEY_CURRENT_USER\Software\Cygnus Solutions\Cygwin\mounts v2
HKEY_CURRENT_USER\Software\Cygnus Solutions\Cygwin\Program Options
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2
(default) = '/cygdrive'
cygdrive flags = 0x00000022
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/
(default) = 'C:\cygwin'
flags = 0x0000000a
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/usr/bin
(default) = 'C:\cygwin/bin'
flags = 0x0000000a
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/usr/lib
(default) = 'C:\cygwin/lib'
flags = 0x0000000a
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\Program Options
a: fd N/A N/A
c: hd NTFS 8181Mb 28% CP CS UN PA FC
d: cd CDFS 565Mb 100% CS BRMSFPP_EN
C:\cygwin / system binmode
C:\cygwin/bin /usr/bin system binmode
C:\cygwin/lib /usr/lib system binmode
. /cygdrive system binmode,cygdrive
Found: C:\cygwin\bin\awk.exe
Found: C:\cygwin\bin\bash.exe
Found: C:\cygwin\bin\cat.exe
Found: C:\cygwin\bin\cp.exe
Not Found: cpp (good!)
Not Found: crontab
Found: C:\cygwin\bin\find.exe
Not Found: gcc
Not Found: gdb
Found: C:\cygwin\bin\grep.exe
Found: C:\cygwin\bin\kill.exe
Not Found: ld
Found: C:\cygwin\bin\ls.exe
Not Found: make
Found: C:\cygwin\bin\mv.exe
Not Found: patch
Found: c:\Perl\bin\perl.exe
Found: C:\cygwin\bin\rm.exe
Found: C:\cygwin\bin\sed.exe
Found: C:\cygwin\bin\ssh.exe
Found: C:\cygwin\bin\sh.exe
Found: C:\cygwin\bin\tar.exe
Found: C:\cygwin\bin\test.exe
Not Found: vi
Not Found: vim
56k 2005/07/09 C:\cygwin\bin\cygbz2-1.dll - os=4.0 img=1.0 sys=4.0
"cygbz2-1.dll" v0.0 ts=2005/7/8 22:09
7k 2005/11/20 C:\cygwin\bin\cygcharset-1.dll - os=4.0 img=1.0 sys=4.0
"cygcharset-1.dll" v0.0 ts=2005/11/19 18:24
7k 2003/10/19 C:\cygwin\bin\cygcrypt-0.dll - os=4.0 img=1.0 sys=4.0
"cygcrypt-0.dll" v0.0 ts=2003/10/19 0:57
1108k 2006/06/01 C:\cygwin\bin\cygcrypto-0.9.7.dll - os=4.0 img=1.0 sys=4.0
"cygcrypto-0.9.7.dll" v0.0 ts=2006/6/1 8:50
1050k 2006/06/01 C:\cygwin\bin\cygcrypto-0.9.8.dll - os=4.0 img=1.0 sys=4.0
"cygcrypto-0.9.8.dll" v0.0 ts=2006/6/1 9:08
40k 2006/03/24 C:\cygwin\bin\cygform-8.dll - os=4.0 img=1.0 sys=4.0
"cygform-8.dll" v0.0 ts=2006/3/23 23:16
45k 2001/04/25 C:\cygwin\bin\cygform5.dll - os=4.0 img=1.0 sys=4.0
"cygform5.dll" v0.0 ts=2001/4/24 22:28
35k 2002/01/09 C:\cygwin\bin\cygform6.dll - os=4.0 img=1.0 sys=4.0
"cygform6.dll" v0.0 ts=2002/1/8 22:03
48k 2003/08/09 C:\cygwin\bin\cygform7.dll - os=4.0 img=1.0 sys=4.0
"cygform7.dll" v0.0 ts=2003/8/9 2:25
28k 2003/07/20 C:\cygwin\bin\cyggdbm-3.dll - os=4.0 img=1.0 sys=4.0
"cyggdbm-3.dll" v0.0 ts=2003/7/20 0:58
30k 2003/08/11 C:\cygwin\bin\cyggdbm-4.dll - os=4.0 img=1.0 sys=4.0
"cyggdbm-4.dll" v0.0 ts=2003/8/10 19:12
19k 2003/03/22 C:\cygwin\bin\cyggdbm.dll - os=4.0 img=1.0 sys=4.0
"cyggdbm.dll" v0.0 ts=2002/2/19 19:05
15k 2003/07/20 C:\cygwin\bin\cyggdbm_compat-3.dll - os=4.0 img=1.0 sys=4.0
"cyggdbm_compat-3.dll" v0.0 ts=2003/7/20 1:00
15k 2003/08/11 C:\cygwin\bin\cyggdbm_compat-4.dll - os=4.0 img=1.0 sys=4.0
"cyggdbm_compat-4.dll" v0.0 ts=2003/8/10 19:13
17k 2001/06/28 C:\cygwin\bin\cyghistory4.dll - os=4.0 img=1.0 sys=4.0
"cyghistory4.dll" v0.0 ts=2001/1/6 20:34
29k 2003/08/10 C:\cygwin\bin\cyghistory5.dll - os=4.0 img=1.0 sys=4.0
"cyghistory5.dll" v0.0 ts=2003/8/10 16:16
24k 2006/03/25 C:\cygwin\bin\cyghistory6.dll - os=4.0 img=1.0 sys=4.0
"cyghistory6.dll" v0.0 ts=2006/3/25 6:05
947k 2005/11/20 C:\cygwin\bin\cygiconv-2.dll - os=4.0 img=1.0 sys=4.0
"cygiconv-2.dll" v0.0 ts=2005/11/19 18:24
22k 2001/12/13 C:\cygwin\bin\cygintl-1.dll - os=4.0 img=1.0 sys=4.0
"cygintl-1.dll" v0.0 ts=2001/12/13 1:28
37k 2003/08/10 C:\cygwin\bin\cygintl-2.dll - os=4.0 img=1.0 sys=4.0
"cygintl-2.dll" v0.0 ts=2003/8/10 14:50
31k 2005/11/20 C:\cygwin\bin\cygintl-3.dll - os=4.0 img=1.0 sys=4.0
"cygintl-3.dll" v0.0 ts=2005/11/19 18:04
21k 2001/06/20 C:\cygwin\bin\cygintl.dll - os=4.0 img=1.0 sys=4.0
"cygintl.dll" v0.0 ts=2001/6/20 10:09
21k 2006/03/24 C:\cygwin\bin\cygmenu-8.dll - os=4.0 img=1.0 sys=4.0
"cygmenu-8.dll" v0.0 ts=2006/3/23 23:16
26k 2001/04/25 C:\cygwin\bin\cygmenu5.dll - os=4.0 img=1.0 sys=4.0
"cygmenu5.dll" v0.0 ts=2001/4/24 22:27
20k 2002/01/09 C:\cygwin\bin\cygmenu6.dll - os=4.0 img=1.0 sys=4.0
"cygmenu6.dll" v0.0 ts=2002/1/8 22:03
29k 2003/08/09 C:\cygwin\bin\cygmenu7.dll - os=4.0 img=1.0 sys=4.0
"cygmenu7.dll" v0.0 ts=2003/8/9 2:25
21k 2004/10/22 C:\cygwin\bin\cygminires.dll - os=4.0 img=1.0 sys=4.0
"cygminires.dll" v0.0 ts=2004/10/22 13:28
67k 2006/03/24 C:\cygwin\bin\cygncurses++-8.dll - os=4.0 img=1.0 sys=4.0
"cygncurses++-8.dll" v0.0 ts=2006/3/23 23:17
156k 2001/04/25 C:\cygwin\bin\cygncurses++5.dll - os=4.0 img=1.0 sys=4.0
"cygncurses++5.dll" v0.0 ts=2001/4/24 22:29
175k 2002/01/09 C:\cygwin\bin\cygncurses++6.dll - os=4.0 img=1.0 sys=4.0
"cygncurses++6.dll" v0.0 ts=2002/1/8 22:03
227k 2006/03/24 C:\cygwin\bin\cygncurses-8.dll - os=4.0 img=1.0 sys=4.0
"cygncurses-8.dll" v0.0 ts=2006/3/23 20:51
226k 2001/04/25 C:\cygwin\bin\cygncurses5.dll - os=4.0 img=1.0 sys=4.0
"cygncurses5.dll" v0.0 ts=2001/4/24 22:17
202k 2002/01/09 C:\cygwin\bin\cygncurses6.dll - os=4.0 img=1.0 sys=4.0
"cygncurses6.dll" v0.0 ts=2002/1/8 22:03
224k 2003/08/09 C:\cygwin\bin\cygncurses7.dll - os=4.0 img=1.0 sys=4.0
"cygncurses7.dll" v0.0 ts=2003/8/9 2:24
12k 2006/03/24 C:\cygwin\bin\cygpanel-8.dll - os=4.0 img=1.0 sys=4.0
"cygpanel-8.dll" v0.0 ts=2006/3/23 23:16
15k 2001/04/25 C:\cygwin\bin\cygpanel5.dll - os=4.0 img=1.0 sys=4.0
"cygpanel5.dll" v0.0 ts=2001/4/24 22:27
12k 2002/01/09 C:\cygwin\bin\cygpanel6.dll - os=4.0 img=1.0 sys=4.0
"cygpanel6.dll" v0.0 ts=2002/1/8 22:03
19k 2003/08/09 C:\cygwin\bin\cygpanel7.dll - os=4.0 img=1.0 sys=4.0
"cygpanel7.dll" v0.0 ts=2003/8/9 2:24
109k 2006/02/10 C:\cygwin\bin\cygpcre-0.dll - os=4.0 img=1.0 sys=4.0
"cygpcre-0.dll" v0.0 ts=2006/2/9 18:37
299k 2006/02/10 C:\cygwin\bin\cygpcrecpp-0.dll - os=4.0 img=1.0 sys=4.0
"cygpcrecpp-0.dll" v0.0 ts=2006/2/9 18:38
7k 2006/02/10 C:\cygwin\bin\cygpcreposix-0.dll - os=4.0 img=1.0 sys=4.0
"cygpcreposix-0.dll" v0.0 ts=2006/2/9 18:37
22k 2002/06/09 C:\cygwin\bin\cygpopt-0.dll - os=4.0 img=1.0 sys=4.0
"cygpopt-0.dll" v0.0 ts=2002/6/8 22:45
108k 2001/06/28 C:\cygwin\bin\cygreadline4.dll - os=4.0 img=1.0 sys=4.0
"cygreadline4.dll" v0.0 ts=2001/1/6 20:34
148k 2003/08/10 C:\cygwin\bin\cygreadline5.dll - os=4.0 img=1.0 sys=4.0
"cygreadline5.dll" v0.0 ts=2003/8/10 16:16
152k 2006/03/25 C:\cygwin\bin\cygreadline6.dll - os=4.0 img=1.0 sys=4.0
"cygreadline6.dll" v0.0 ts=2006/3/25 6:05
230k 2006/06/01 C:\cygwin\bin\cygssl-0.9.7.dll - os=4.0 img=1.0 sys=4.0
"cygssl-0.9.7.dll" v0.0 ts=2006/6/1 8:50
214k 2006/06/01 C:\cygwin\bin\cygssl-0.9.8.dll - os=4.0 img=1.0 sys=4.0
"cygssl-0.9.8.dll" v0.0 ts=2006/6/1 9:08
65k 2005/08/23 C:\cygwin\bin\cygz.dll - os=4.0 img=1.0 sys=4.0
"cygz.dll" v0.0 ts=2005/8/22 19:03
1831k 2006/07/30 C:\cygwin\bin\cygwin1.dll - os=4.0 img=1.0 sys=4.0
"cygwin1.dll" v0.0 ts=2006/7/30 11:21
Cygwin DLL version info:
DLL version: 1.5.21
DLL epoch: 19
DLL bad signal mask: 19005
DLL old termios: 5
DLL malloc env: 28
API major: 0
API minor: 156
Shared data: 4
DLL identifier: cygwin1
Mount registry: 2
Cygnus registry name: Cygnus Solutions
Cygwin registry name: Cygwin
Program options name: Program Options
Cygwin mount registry name: mounts v2
Cygdrive flags: cygdrive flags
Cygdrive prefix: cygdrive prefix
Cygdrive default prefix:
Build date: Sun Jul 30 14:21:47 EDT 2006
Shared id: cygwin1S4
Service : sshd
Display name : CYGWIN sshd
Current State : Running
Controls Accepted : Stop
Command : /usr/sbin/sshd -D
stdin path : /dev/null
stdout path : /var/log/sshd.log
stderr path : /var/log/sshd.log
Environment : CYGWIN="ntsec"
Process Type : Own Process
Startup : Automatic
Dependencies : tcpip
Account : .\sshd_server
Cygwin Package Information
Last downloaded files to: C:\Documents and Settings\Administrator\Desktop
Last downloaded files from: http://mirrors.kernel.org/sourceware/cygwin
Package Version
_update-info-dir 00424-1
alternatives 1.3.20a-2
ash 20040127-3
base-files 3.7-1
base-passwd 2.2-1
bash 3.1-6
bzip2 1.0.3-1
coreutils 5.97-1
crypt 1.1-1
cygrunsrv 1.17-1
cygutils 1.3.0-1
cygwin 1.5.21-2
cygwin-doc 1.4-4
diffutils 2.8.7-1
editrights 1.01-1
findutils 4.3.0-2
gawk 3.1.5-4
gdbm 1.8.3-7
grep 2.5.1a-2
groff 1.18.1-2
gzip 1.3.5-2
less 381-1
libbz2_1 1.0.3-1
libcharset1 1.9.2-2
libgdbm 1.8.0-5
libgdbm-devel 1.8.3-7
libgdbm3 1.8.3-3
libgdbm4 1.8.3-7
libiconv 1.9.2-2
libiconv2 1.9.2-2
libintl 0.10.38-3
libintl1 0.10.40-1
libintl2 0.12.1-3
libintl3 0.14.5-1
libncurses5 5.2-1
libncurses6 5.2-8
libncurses7 5.3-4
libncurses8 5.5-2
libpcre0 6.6-1
libpopt0 1.6.4-4
libreadline4 4.1-2
libreadline5 4.3-5
libreadline6 5.1-5
login 1.9-7
man 1.5p-1
minires 1.00-1
mktemp 1.5-3
ncurses 5.5-2
openssh 4.3p2-3
openssl 0.9.8b-1
openssl097 0.9.7j-1
run 1.1.10-1
sed 4.1.5-2
tar 1.15.91-1
termcap 20050421-1
terminfo 5.5_20060323-1
texinfo 4.8-3
which 1.7-1
zlib 1.2.3-1
Use -h to see help about each section
[-- Attachment #4: Type: text/plain, Size: 218 bytes --]
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)
2006-08-30 21:55 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth) Serban Simu
@ 2006-08-30 22:12 ` Larry Hall (Cygwin)
2006-08-31 16:43 ` Corinna Vinschen
1 sibling, 0 replies; 7+ messages in thread
From: Larry Hall (Cygwin) @ 2006-08-30 22:12 UTC (permalink / raw)
To: cygwin
Serban Simu wrote:
> I did notice a number of postings around this subject, but couldn't see
> a resolution (Corinna answered a Feb '06 posting by Dave Perdue that the
> problem should be fixed in 1.5.20, which is why I'm reposting for 1.5.21).
>
> I am exclusively using password auth (and am aware of the pubkey auth
> limitations).
>
> The basic setup is a Win 2003 R2 standard server, member of a domain
> (machine name is SM2WIN2003 and domain is OFFICE). Installed 1.5.21 and
> ran ssh-host-config. All goes well and I have sshd service running as
> local user sshd_server.
>
> Then ran mkpasswd and mkgroup:
> mkpasswd -l > /etc/passwd
> mkpasswd -d >> /etc/passwd (I only have one domain so this is same
> as mkpasswd -d OFFICE)
> mkgroup -l > /etc/group
> mkgroup -d >> /etc/group
>
> If I ssh as a local user "local1", windows whoami returns
> sm2win2003\local1
> If I ssh as domain user "test1", windows whoami returns
> sm2win2003\sshd_server (BAD)
>
> If I strip the /etc/group file to only:
> SYSTEM:S-1-5-18:18:
> None:S-1-5-21-3712540747-3723856708-2352634044-513:513:
> Domain Users:S-1-5-21-4293257363-1756470469-1603820055-513:10513:
> Then ssh as domain user "test1", windows whoami returns office\test1
> (GOOD)
>
> Now, I tried adding the minimum possible to /etc/group to create the
> problem, so if I just add one line:
> SYSTEM:S-1-5-18:18:
> None:S-1-5-21-3712540747-3723856708-2352634044-513:513:
> Domain Users:S-1-5-21-4293257363-1756470469-1603820055-513:10513:
> Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:
> Then ssh as domain user "test1", windows whoami returns
> sm2win2003\sshd_server (BAD)
>
> My domain user test1 is a member of domain group Test Users.
>
> So my questions would be:
>
> (1) I did find a work around, but what is the explanation of this
> problem and what is a good, solid work around?
> (2) Is there a way and a plan to straighten this behavior, and maybe
> document the usage in Win 2003 domain environments (I'm assuming that
> most people would be interested in accessing network resources in Win
> 2003 domains, which is why this is a problem in the first place)
>
> Also, I believe that I didn't have this problem on older Win 2003
> (before R2), but I no longer have a test setup to confirm it.
>
> Attached is the full "whoami /all" output and cygcheck.out.
>
Interesting results. It would be interesting to see what "whoami /all"
reports for these users locally as well, without the sshd "filter". I
expect the issue at hand here is that one group for each user is the
primary group. My WAG is that "Test Users" is the primary group for
the user "test1". Off the top of my head, it's not clear how adding
the group to the '/etc/group' file changes things though.
--
Larry Hall http://www.rfk.com
RFK Partners, Inc. (508) 893-9779 - RFK Office
216 Dalton Rd. (508) 893-9889 - FAX
Holliston, MA 01746
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)
2006-08-30 21:55 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth) Serban Simu
2006-08-30 22:12 ` Larry Hall (Cygwin)
@ 2006-08-31 16:43 ` Corinna Vinschen
2006-08-31 17:21 ` Larry Hall (Cygwin)
1 sibling, 1 reply; 7+ messages in thread
From: Corinna Vinschen @ 2006-08-31 16:43 UTC (permalink / raw)
To: cygwin
On Aug 30 14:05, Serban Simu wrote:
> So my questions would be:
>
> (1) I did find a work around, but what is the explanation of this
> problem and what is a good, solid work around?
After some debugging I found that the explanation is that sshd drops
all supplementary groups from the otherwise privileged user token.
This results in a minimized user token when calling initgroups, which
in turn calls NetUserGetGroups, which in turn returns "Access denied".
The solution is to drop back to the original process token before
calling NetUserGetGroups from initgroups. I've checked in a patch
which should be available in the next developers snapshot from
http://cygwin.com/snapshots/
A solid workaround if you're trying to get the same with the current
Cygwin: Add all users which want to log in this way to the gr_mem
field of the approrpiate groups in /etc/group. In your example case,
it would look like this:
Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:test1
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)
2006-08-31 16:43 ` Corinna Vinschen
@ 2006-08-31 17:21 ` Larry Hall (Cygwin)
0 siblings, 0 replies; 7+ messages in thread
From: Larry Hall (Cygwin) @ 2006-08-31 17:21 UTC (permalink / raw)
To: cygwin
Corinna Vinschen wrote:
> On Aug 30 14:05, Serban Simu wrote:
>> So my questions would be:
>>
>> (1) I did find a work around, but what is the explanation of this
>> problem and what is a good, solid work around?
>
> After some debugging I found that the explanation is that sshd drops
> all supplementary groups from the otherwise privileged user token.
> This results in a minimized user token when calling initgroups, which
> in turn calls NetUserGetGroups, which in turn returns "Access denied".
> The solution is to drop back to the original process token before
> calling NetUserGetGroups from initgroups. I've checked in a patch
> which should be available in the next developers snapshot from
> http://cygwin.com/snapshots/
>
> A solid workaround if you're trying to get the same with the current
> Cygwin: Add all users which want to log in this way to the gr_mem
> field of the approrpiate groups in /etc/group. In your example case,
> it would look like this:
>
> Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:test1
Nice work! I recommend a new gold star! :-)
--
Larry Hall http://www.rfk.com
RFK Partners, Inc. (508) 893-9779 - RFK Office
216 Dalton Rd. (508) 893-9889 - FAX
Holliston, MA 01746
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)
@ 2006-08-31 0:54 Serban Simu
0 siblings, 0 replies; 7+ messages in thread
From: Serban Simu @ 2006-08-31 0:54 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 4281 bytes --]
/I'm attaching the whoami results:
whoami-win.txt - whoami ran when logged on the Windows computer
directly (both OFFICE\test1 and SM2WIN2003\local1)
whoami-ssh.txt - whoami ran while ssh-ed in as the user test1 (in both
cases, with and without the Test User group in /etc/group) and user local1
The interesting observations are:
- when ssh-ed as user test1, the SID reported by whoami is the correct
SID of the user in both cases. In one case the name is correct, in the
other the name is sshd_server
- when ssh-ed as user test1 with the stripped off /etc/group such that
whoami displays the right user, the group information is almost
identical to whoami ran logged on directly through Windows, with the
exception of group LOCAL, missing.
(also forgot to mention, the credit for the idea of stripping off
/etc/group goes to Dave Perdue)
From/: "Larry Hall (Cygwin)" <reply-to-list-only-lh at cygwin dot com>/
To/: cygwin at cygwin dot com/
Date/: Wed, 30 Aug 2006 17:54:57 -0400/
Subject/: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami
sshd_server (password auth)/
References/: <44F5FD93.1020503@asperasoft.com
<http://cygwin.com/ml/cygwin/2006-08/msg01056.html>>/
Reply-to/: cygwin at cygwin dot com
Serban Simu wrote:
I did notice a number of postings around this subject, but couldn't
see a resolution (Corinna answered a Feb '06 posting by Dave Perdue
that the problem should be fixed in 1.5.20, which is why I'm
reposting for 1.5.21).
I am exclusively using password auth (and am aware of the pubkey
auth limitations).
The basic setup is a Win 2003 R2 standard server, member of a domain
(machine name is SM2WIN2003 and domain is OFFICE). Installed 1.5.21
and ran ssh-host-config. All goes well and I have sshd service
running as local user sshd_server.
Then ran mkpasswd and mkgroup:
mkpasswd -l > /etc/passwd
mkpasswd -d >> /etc/passwd (I only have one domain so this is same
as mkpasswd -d OFFICE)
mkgroup -l > /etc/group
mkgroup -d >> /etc/group
If I ssh as a local user "local1", windows whoami returns
sm2win2003\local1
If I ssh as domain user "test1", windows whoami returns
sm2win2003\sshd_server (BAD)
If I strip the /etc/group file to only:
SYSTEM:S-1-5-18:18:
None:S-1-5-21-3712540747-3723856708-2352634044-513:513:
Domain Users:S-1-5-21-4293257363-1756470469-1603820055-513:10513:
Then ssh as domain user "test1", windows whoami returns office\test1
(GOOD)
Now, I tried adding the minimum possible to /etc/group to create the
problem, so if I just add one line:
SYSTEM:S-1-5-18:18:
None:S-1-5-21-3712540747-3723856708-2352634044-513:513:
Domain Users:S-1-5-21-4293257363-1756470469-1603820055-513:10513:
Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:
Then ssh as domain user "test1", windows whoami returns
sm2win2003\sshd_server (BAD)
My domain user test1 is a member of domain group Test Users.
So my questions would be:
(1) I did find a work around, but what is the explanation of this
problem and what is a good, solid work around?
(2) Is there a way and a plan to straighten this behavior, and maybe
document the usage in Win 2003 domain environments (I'm assuming
that most people would be interested in accessing network resources
in Win 2003 domains, which is why this is a problem in the first place)
Also, I believe that I didn't have this problem on older Win 2003
(before R2), but I no longer have a test setup to confirm it.
Attached is the full "whoami /all" output and cygcheck.out.
Interesting results. It would be interesting to see what "whoami /all"
reports for these users locally as well, without the sshd "filter". I
expect the issue at hand here is that one group for each user is the
primary group. My WAG is that "Test Users" is the primary group for
the user "test1". Off the top of my head, it's not clear how adding
the group to the '/etc/group' file changes things though.
--
Larry Hall http://www.rfk.com
RFK Partners, Inc. (508) 893-9779 - RFK Office
216 Dalton Rd. (508) 893-9889 - FAX
Holliston, MA 01746
[-- Attachment #2: whoami-win.txt --]
[-- Type: text/plain, Size: 5713 bytes --]
##########################################################################
# Locally logged in user OFFICE\test1 #
##########################################################################
USER INFORMATION
----------------
User Name SID
============ ==============================================
office\test1 S-1-5-21-4293257363-1756470469-1603820055-1125
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
OFFICE\Test Users Group S-1-5-21-4293257363-1756470469-1603820055-1123 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeSystemtimePrivilege Change the system time Disabled
SeShutdownPrivilege Shut down the system Disabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
##########################################################################
# Locally logged in user SM2WIN2003\local1 #
##########################################################################
USER INFORMATION
----------------
User Name SID
================= ==============================================
sm2win2003\local1 S-1-5-21-3712540747-3723856708-2352634044-1009
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ======================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
[-- Attachment #3: whoami-ssh.txt --]
[-- Type: text/plain, Size: 8971 bytes --]
#####################################################################
# LOGIN AS LOCAL USER local1 #
#####################################################################
C:\>ssh local1@192.168.3.54
local1@192.168.3.54's password:
local1@sm2win2003 ~$ C:/windows/system32/whoami /all
USER INFORMATION
----------------
User Name SID
================= ==============================================
sm2win2003\local1 S-1-5-21-3712540747-3723856708-2352634044-1009
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ======================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
local1@sm2win2003 ~
$ exit
logout
Connection to 192.168.3.54 closed.
#####################################################################
# LOGIN AS DOMAIN USER test1 (/etc/group has Test Users) #
#####################################################################
C:\>ssh test1@192.168.3.54
test1@192.168.3.54's password:
Last login: Wed Aug 30 11:43:21 2006 from 192.168.1.12
test1@sm2win2003 ~$ c:/windows/system32/whoami /all
USER INFORMATION
----------------
User Name SID
====================== ==============================================
sm2win2003\sshd_server S-1-5-21-4293257363-1756470469-1603820055-1125
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeSystemtimePrivilege Change the system time Enabled
SeShutdownPrivilege Shut down the system Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
test1@sm2win2003 ~
$ exit
logout
Connection to 192.168.3.54 closed.
#####################################################################
# LOGIN AS DOMAIN USER test1 (/etc/group doesn't have Test Users) #
#####################################################################
C:\Documents and Settings\asp1\Desktop>ssh test1@192.168.3.54
test1@192.168.3.54's password:
Last login: Wed Aug 30 13:05:37 2006 from 192.168.1.12
test1@sm2win2003 ~
$ c:/windows/system32/whoami /all
USER INFORMATION
----------------
User Name SID
============ ==============================================
office\test1 S-1-5-21-4293257363-1756470469-1603820055-1125
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ =====================================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
OFFICE\Test Users Group S-1-5-21-4293257363-1756470469-1603820055-1123 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeSystemtimePrivilege Change the system time Disabled
SeShutdownPrivilege Shut down the system Disabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
test1@sm2win2003 ~
$ exit
logout
Connection to 192.168.3.54 closed.
[-- Attachment #4: Type: text/plain, Size: 218 bytes --]
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)
@ 2006-08-31 19:27 Serban Simu
0 siblings, 0 replies; 7+ messages in thread
From: Serban Simu @ 2006-08-31 19:27 UTC (permalink / raw)
To: cygwin
////
Yes, you are right: adding the users to the member list of the group in
/etc/group fixes the problem.//
//Thank you for the patch - I will try it out when it becomes available
(I'm assuming will be the next snapshot after //*2006-08-30)*
//
Serban
//
//
/From/: Corinna Vinschen <corinna-cygwin at cygwin dot com>//
///To/: cygwin at cygwin dot com/
Date/: Thu, 31 Aug 2006 18:13:55 +0200/
Subject/: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami
sshd_server (password auth)/
References/: <44F5FD93.1020503@asperasoft.com
<http://cygwin.com/ml/cygwin/2006-08/msg01056.html>>/
Reply-to/: cygwin at cygwin dot com
On Aug 30 14:05, Serban Simu wrote:
> So my questions would be:
>
> (1) I did find a work around, but what is the explanation of this
> problem and what is a good, solid work around?
After some debugging I found that the explanation is that sshd drops
all supplementary groups from the otherwise privileged user token.
This results in a minimized user token when calling initgroups, which
in turn calls NetUserGetGroups, which in turn returns "Access denied".
The solution is to drop back to the original process token before
calling NetUserGetGroups from initgroups. I've checked in a patch
which should be available in the next developers snapshot from
http://cygwin.com/snapshots/
A solid workaround if you're trying to get the same with the current
Cygwin: Add all users which want to log in this way to the gr_mem
field of the approrpiate groups in /etc/group. In your example case,
it would look like this:
Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:test1
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)
@ 2006-10-02 3:47 Serban Simu
0 siblings, 0 replies; 7+ messages in thread
From: Serban Simu @ 2006-10-02 3:47 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 2566 bytes --]
I got a chance to test the snapshot 2006-09-07. It does behave
differently, but still doesn't solve the problem. whoami now shows user
nt authority\system, whereas before the patch it showed sshd_server.
Both the snapshot and 1.5.21 show the correct SID for the domain user.
I also verified that if I add the user name explicitly to /etc/group for
each group it belongs to, other than the primary group, whoami reports
the correct domain user and access to network resources works properly.
Also, users that don't belong to any groups other than their primary
group (which seems to be Domain Users by default), don't exhibit this
problem (this is just a particular case of the previous statement).
Attached is the whoami output for the Windows 2003 computer running
1.5.21 plus the snapshot. If I can be of any help narrowing this down,
please let me know.
- Serban
From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
To: cygwin at cygwin dot com
Date: Thu, 31 Aug 2006 18:13:55 +0200
Subject: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami
sshd_server (password auth)
References: <44F5FD93.1020503@asperasoft.com
<http://cygwin.com/ml/cygwin/2006-08/msg01056.html>
<http://cygwin.com/ml/cygwin/2006-08/msg01056.html>>
Reply-to: cygwin at cygwin dot com
On Aug 30 14:05, Serban Simu wrote:
So my questions would be:
(1) I did find a work around, but what is the explanation of this
problem and what is a good, solid work around?
After some debugging I found that the explanation is that sshd drops
all supplementary groups from the otherwise privileged user token. This
results in a minimized user token when calling initgroups, which
in turn calls NetUserGetGroups, which in turn returns "Access denied".
The solution is to drop back to the original process token before
calling NetUserGetGroups from initgroups. I've checked in a patch
which should be available in the next developers snapshot from
http://cygwin.com/snapshots/
A solid workaround if you're trying to get the same with the current
Cygwin: Add all users which want to log in this way to the gr_mem
field of the approrpiate groups in /etc/group. In your example case,
it would look like this:
Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:test1
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
- Serban Simu
Aspera Inc., Berkeley CA http://www.asperasoft.com
serban@asperasoft.com (510) 849-2386
[-- Attachment #2: whoami-snap.txt --]
[-- Type: text/plain, Size: 1382 bytes --]
C:\aspera>ssh serban@192.168.1.171
serban@192.168.1.171's password:
Last login: Fri Sep 29 11:16:35 2006 from olp
serban@olp-w2003 ~
$ c:/windows/system32/whoami.exe /all
USER INFORMATION
----------------
User Name SID
=================== ==============================================
nt authority\system S-1-5-21-4293257363-1756470469-1603820055-1107
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ======================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
[-- Attachment #3: Type: text/plain, Size: 218 bytes --]
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2006-10-02 3:47 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-08-30 21:55 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth) Serban Simu
2006-08-30 22:12 ` Larry Hall (Cygwin)
2006-08-31 16:43 ` Corinna Vinschen
2006-08-31 17:21 ` Larry Hall (Cygwin)
2006-08-31 0:54 Serban Simu
2006-08-31 19:27 Serban Simu
2006-10-02 3:47 Serban Simu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).