From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
Date: Mon, 16 Jun 2008 21:27:00 -0000 [thread overview]
Message-ID: <20080616211352.GK731@calimero.vinschen.de> (raw)
In-Reply-To: <20080616210105.GI731@calimero.vinschen.de>
Oh, btw., Charles, that's one for you.
On Jun 16 23:01, Corinna Vinschen wrote:
> On May 13 11:09, Schutter, Thomas A. wrote:
> > Except that is not what I am seeing. When I run "id" from a console
> > cygwin shell:
> > $ id
> > uid=18718(tschutter) gid=10513(Domain Users)
> > groups=544(Administrators),545(Users),10513(Domain
> > Users),18169(FDSV-GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins)
> >
> > But when I run "id" from a ssh shell:
> > $ id
> > uid=18718(tschutter) gid=10513(Domain Users)
> > groups=545(Users),10513(Domain Users)
> >
> > So when I am using pubkey authentication, the user token is not a member
> > of the "Administrators", "FDSV-GG-PrxBLD", or "FDSV-GG-PrxPCAdmins"
> > groups.
>
> Dunno if you fixed this problem in the meantime? I tested this myself
> and debugged this situation. It turned out (in *my* local scenario),
> the the PDC refused to list the groups the user is member of:
>
> $ id
> uid=11001(corinna) gid=10513(DomUsers) groups=545(Users),10513(DomUsers)
>
> The problem was that the domain sshd_server account has no right to
> access the domain controller from the network. Solution: Open the Local
> Security Policy of the DC and look for the User Right "Deny access to
> this computer from the network". You'll find your sshd_server user in
> there. Remove it from this user right. Try again:
This user right shouldn't be set anymore in the
csih/cygwin-service-installation-helper.sh script. Patch follows:
* Don't disallow network logon for service user account.
--- cygwin-service-installation-helper.sh.ORIG 2008-06-16 23:07:36.017432500 +0200
+++ cygwin-service-installation-helper.sh 2008-06-16 23:07:50.842305100 +0200
@@ -1640,7 +1640,6 @@ csih_account_has_necessary_privileges()
editrights -l -u "${user}" | fgrep SeCreateTokenPrivilege >/dev/null 2>&1 &&
editrights -l -u "${user}" | fgrep SeTcbPrivilege >/dev/null 2>&1 &&
editrights -l -u "${user}" | fgrep SeDenyInteractiveLogonRight >/dev/null 2>&1 &&
- editrights -l -u "${user}" | fgrep SeDenyNetworkLogonRight >/dev/null 2>&1 &&
editrights -l -u "${user}" | fgrep SeDenyRemoteInteractiveLogonRight >/dev/null 2>&1 &&
editrights -l -u "${user}" | fgrep SeIncreaseQuotaPrivilege >/dev/null 2>&1 &&
editrights -l -u "${user}" | fgrep SeServiceLogonRight >/dev/null 2>&1
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
next prev parent reply other threads:[~2008-06-16 21:14 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-12 21:32 Unable to run sshd under a domain sshd_server account [SOLVED] Schutter, Thomas A.
2008-05-12 22:32 ` Igor Peshansky
2008-05-12 23:20 ` Schutter, Thomas A.
2008-05-12 23:24 ` Igor Peshansky
2008-05-13 3:32 ` Igor Peshansky
2008-05-13 16:09 ` Schutter, Thomas A.
2008-05-13 16:10 ` Larry Hall (Cygwin)
2008-05-13 16:29 ` Schutter, Thomas A.
2008-05-13 16:38 ` Larry Hall (Cygwin)
2008-05-13 16:49 ` Schutter, Thomas A.
2008-05-13 17:35 ` Larry Hall (Cygwin)
2008-05-13 17:59 ` Schutter, Thomas A.
2008-05-13 6:45 ` Christopher Faylor
2008-05-13 7:59 ` Corinna Vinschen
2008-05-13 16:22 ` Schutter, Thomas A.
2008-05-13 16:42 ` Corinna Vinschen
2008-05-13 16:57 ` Schutter, Thomas A.
2008-05-13 17:07 ` Corinna Vinschen
2008-05-13 17:24 ` Schutter, Thomas A.
2008-05-14 11:48 ` Corinna Vinschen
2008-06-16 21:03 ` Corinna Vinschen
2008-06-16 21:27 ` Corinna Vinschen [this message]
2008-06-22 23:57 ` CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED]) Corinna Vinschen
2008-07-19 16:52 ` Charles Wilson
2008-07-19 17:10 ` Corinna Vinschen
2008-07-19 20:47 ` Charles Wilson
2008-07-19 21:00 ` Charles Wilson
2008-07-20 12:26 ` Corinna Vinschen
2008-07-20 13:38 ` Corinna Vinschen
2008-08-05 1:32 ` Charles Wilson
2008-08-07 8:13 ` Corinna Vinschen
2008-08-07 15:38 ` Charles Wilson
2008-08-07 16:24 ` Corinna Vinschen
2008-08-07 16:42 ` Charles Wilson
2008-08-07 17:43 ` Corinna Vinschen
2008-08-07 17:53 ` Charles Wilson
2008-08-08 2:20 ` csih-0.1.6 available for testing [Was: Re: CSIH patch (Re: Unable to run sshd ...)] Charles Wilson
2008-08-15 19:39 ` Charles Wilson
2008-08-15 19:59 ` Yaakov (Cygwin Ports)
2008-08-18 11:24 ` Corinna Vinschen
2008-08-18 12:36 ` Charles Wilson
2008-08-18 12:53 ` Corinna Vinschen
2008-08-18 13:14 ` Charles Wilson
2008-08-18 13:16 ` Corinna Vinschen
2008-08-18 18:04 ` Charles Wilson
2008-08-18 13:33 ` Christopher Faylor
2008-08-18 14:12 ` Corinna Vinschen
2008-08-18 14:33 ` Christopher Faylor
2008-08-08 9:20 ` CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED]) Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080616211352.GK731@calimero.vinschen.de \
--to=corinna-cygwin@cygwin.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).