From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 1349 invoked by alias); 13 May 2008 07:37:49 -0000 Received: (qmail 1332 invoked by uid 22791); 13 May 2008 07:37:47 -0000 X-Spam-Check-By: sourceware.org Received: from aquarius.hirmke.de (HELO calimero.vinschen.de) (217.91.18.234) by sourceware.org (qpsmtpd/0.31.1) with ESMTP; Tue, 13 May 2008 07:37:23 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id 2E7EF6D434D; Tue, 13 May 2008 09:37:20 +0200 (CEST) Date: Tue, 13 May 2008 07:59:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: Unable to run sshd under a domain sshd_server account [SOLVED] Message-ID: <20080513073720.GA22193@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <3B3EFBD49B94AD4DBB7B7097257A8046DD020D@FDSVAST06SXCH01.flooddata.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.16 (2007-06-09) Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com X-SW-Source: 2008-05/txt/msg00210.txt.bz2 On May 12 18:29, Igor Peshansky wrote: > On Mon, 12 May 2008, Schutter, Thomas A. wrote: > > > > -----Original Message----- > > > From: Schutter, Thomas A. > > > Sent: Monday, May 12, 2008 9:52 AM > > > To: 'cygwin@XXXXXX.XXX' > > . > > > > Subject: Unable to run sshd under a domain sshd_server account > > > > > > I am having problems setting up sshd to run under a domain sshd_server > > > account instead of a local sshd_server account. > > > [snip] > > > But when I login via ssh: > > > $ echo $USER > > > tschutter > > > $ echo $USERNAME > > > sshd_server > > Yes -- Windows does not understand user impersonation and does not allow > real user switching. So what sshd does is invoke processes with the > appropriate token privileges for the user it's impersonating, while > updating internal Cygwin data structures, but still running as > sshd_server. So Cygwin sees the right user (in its internal state), but > Windows processes, of course, don't. That's not correct. This problem cropped up on the list a lot already. When not using password authentication, Cygwin has to create a user token from scratch. The resulting processes are running under a normal user token with correctly set user and group ownership. What's missing is a logon session for this user because only a LSA authentication module can do that. As a result, the processes of the new user are running in the logon session of the user running sshd. And here's the problem. For some reason, the appropriate Windows functions like LookupAcccountSid identify the user token's user SID incorrectly as the user who's owning the logon session. And that's all: The connection SID <-> Username is broken. The token itself is ok. Usually that's not a big deal, except that some WIndows application stumble over that, like some Visual Studio stuff. The way to fix this is to use a special LSA authentication module which will be available with the next major release of Cygwin. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/