From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 7003 invoked by alias); 22 Jun 2008 19:33:56 -0000 Received: (qmail 6994 invoked by uid 22791); 22 Jun 2008 19:33:55 -0000 X-Spam-Check-By: sourceware.org Received: from aquarius.hirmke.de (HELO calimero.vinschen.de) (217.91.18.234) by sourceware.org (qpsmtpd/0.31.1) with ESMTP; Sun, 22 Jun 2008 19:33:31 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id 633AE6D4351; Sun, 22 Jun 2008 21:33:28 +0200 (CEST) Date: Sun, 22 Jun 2008 23:57:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED]) Message-ID: <20080622193328.GX20180@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <3B3EFBD49B94AD4DBB7B7097257A8046DD020D@FDSVAST06SXCH01.flooddata.net> <20080513073720.GA22193@calimero.vinschen.de> <3B3EFBD49B94AD4DBB7B7097257A8046DD02FC@FDSVAST06SXCH01.flooddata.net> <20080616210105.GI731@calimero.vinschen.de> <20080616211352.GK731@calimero.vinschen.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080616211352.GK731@calimero.vinschen.de> User-Agent: Mutt/1.5.16 (2007-06-09) Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com X-SW-Source: 2008-06/txt/msg00455.txt.bz2 Charles, Ping? On Jun 16 23:13, Corinna Vinschen wrote: > Oh, btw., Charles, that's one for you. > > On Jun 16 23:01, Corinna Vinschen wrote: > > On May 13 11:09, Schutter, Thomas A. wrote: > > > So when I am using pubkey authentication, the user token is not a member > > > of the "Administrators", "FDSV-GG-PrxBLD", or "FDSV-GG-PrxPCAdmins" > > > groups. > > > > the the PDC refused to list the groups the user is member of: > > > > $ id > > uid=11001(corinna) gid=10513(DomUsers) groups=545(Users),10513(DomUsers) > > > > The problem was that the domain sshd_server account has no right to > > access the domain controller from the network. Solution: Open the Local > > Security Policy of the DC and look for the User Right "Deny access to > > this computer from the network". You'll find your sshd_server user in > > there. Remove it from this user right. Try again: > > This user right shouldn't be set anymore in the > csih/cygwin-service-installation-helper.sh script. Patch follows: > [...] In the meantime it turned out that the right to logon interactively should also be given to the cyg_server account. Otherwise you get spurious logon failure events in the security event on the DC related to the cyg_server account. While I'm at it, I'd like to propose the following changes as well: - Don't test for the "Deny Logon" rights in csih_account_has_necessary_privileges. After all, these rights are only additional security measures, but not at all necessary to do the job. - Don't test or set the SeIncreaseQuotaPrivilege privilege. This is given to Administrators by default anyway and if the right is not given to cyg_server explicitely, the test will fail, because editrights doesn't test the groups in the token, only the user itself. Actually that's something which would be worth a fix to editrights. So the patch I propose looks like this: * cygwin-service-installation-helper.sh (csih_account_has_necessary_privileges): Don't explicitely test for SeDenyXXX rights, nor for SeIncreaseQuotaPrivilege. (csih_create_privileged_user): Drop setting SeDenyInteractiveLogonRight, SeDenyNetworkLogonRight, and SeIncreaseQuotaPrivilege. --- cygwin-service-installation-helper.sh.ORIG 2008-06-16 23:07:36.017432500 +0200 +++ cygwin-service-installation-helper.sh 2008-06-22 21:31:57.612588900 +0200 @@ -1639,10 +1639,6 @@ csih_account_has_necessary_privileges() editrights -l -u "${user}" | fgrep SeAssignPrimaryTokenPrivilege >/dev/null 2>&1 && editrights -l -u "${user}" | fgrep SeCreateTokenPrivilege >/dev/null 2>&1 && editrights -l -u "${user}" | fgrep SeTcbPrivilege >/dev/null 2>&1 && - editrights -l -u "${user}" | fgrep SeDenyInteractiveLogonRight >/dev/null 2>&1 && - editrights -l -u "${user}" | fgrep SeDenyNetworkLogonRight >/dev/null 2>&1 && - editrights -l -u "${user}" | fgrep SeDenyRemoteInteractiveLogonRight >/dev/null 2>&1 && - editrights -l -u "${user}" | fgrep SeIncreaseQuotaPrivilege >/dev/null 2>&1 && editrights -l -u "${user}" | fgrep SeServiceLogonRight >/dev/null 2>&1 return # status of previous command-list fi @@ -2105,10 +2101,7 @@ csih_create_privileged_user() editrights -a SeAssignPrimaryTokenPrivilege -u ${username} && editrights -a SeCreateTokenPrivilege -u ${username} && editrights -a SeTcbPrivilege -u ${username} && - editrights -a SeDenyInteractiveLogonRight -u ${username} && - editrights -a SeDenyNetworkLogonRight -u ${username} && editrights -a SeDenyRemoteInteractiveLogonRight -u ${username} && - editrights -a SeIncreaseQuotaPrivilege -u ${username} && editrights -a SeServiceLogonRight -u ${username} && username_got_all_rights="yes" if [ "${username_got_all_rights}" != "yes" ] Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/