From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cygwin-return-142921-listarch-cygwin=sourceware.org@cygwin.com>
Received: (qmail 24102 invoked by alias); 20 Jul 2008 12:26:15 -0000
Received: (qmail 24091 invoked by uid 22791); 20 Jul 2008 12:26:14 -0000
X-Spam-Check-By: sourceware.org
Received: from aquarius.hirmke.de (HELO calimero.vinschen.de) (217.91.18.234)     by sourceware.org (qpsmtpd/0.31.1) with ESMTP; Sun, 20 Jul 2008 12:25:42 +0000
Received: by calimero.vinschen.de (Postfix, from userid 500) 	id 99C066D4354; Sun, 20 Jul 2008 14:27:54 +0200 (CEST)
Date: Sun, 20 Jul 2008 12:26:00 -0000
From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server 	account [SOLVED])
Message-ID: <20080720122754.GP5675@calimero.vinschen.de>
Reply-To: cygwin@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
References: <3B3EFBD49B94AD4DBB7B7097257A8046DD020D@FDSVAST06SXCH01.flooddata.net> <Pine.GSO.4.63.0805121820090.11953@access1.cims.nyu.edu> <20080513073720.GA22193@calimero.vinschen.de> <3B3EFBD49B94AD4DBB7B7097257A8046DD02FC@FDSVAST06SXCH01.flooddata.net> <20080616210105.GI731@calimero.vinschen.de> <20080616211352.GK731@calimero.vinschen.de> <48821B9F.6070907@cwilson.fastmail.fm> <20080719171235.GO5675@calimero.vinschen.de> <488252B5.8000501@cwilson.fastmail.fm>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <488252B5.8000501@cwilson.fastmail.fm>
User-Agent: Mutt/1.5.16 (2007-06-09)
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
X-SW-Source: 2008-07/txt/msg00428.txt.bz2

On Jul 19 16:46, Charles Wilson wrote:
> Corinna Vinschen wrote:
>
>> However, I sent a second patch in
>> http://cygwin.com/ml/cygwin/2008-06/msg00453.html
>> The Interactive Logon Right is also necessary for this account.
>
> I don't know why I missed that. I'll roll 0.1.6 soon.

Thanks.

>> What also doesn't work well is this:  In a domain I might want a
>> cyg_server domain account, rather than a local account on each
>> machine.  The reason is that the rights of the domain account can
>> be nicely controlled via group policy.  That won't work for local
>> accounts on the domain member machines.  Therefore, if a cyg_server
>> account exists in /etc/passwd, I think it should be used.
>
> I'm afraid I have no access to a domain account on which I can test this 
> sort of thing (I mean, I /do/ have a domain account at work, but I can't 
> experiment with adding new domain accounts, nor manipulate their 
> privileges.
> [...]
> I imagine you are suggesting that the following loop:
>
>       for username in cyg_server cron_server sshd_server
>       do
>         if net user "${username}" 1> /dev/null 2>&1
>         then
>           [ -z "${first_account}" ] && first_account="${username}"
>           accounts="${accounts}'${username}' "
>         fi
>       done
>
> Should be modified somehow, perhaps (UNTESTED):
>
>       for username in cyg_server cron_server sshd_server
>       do
>         if egrep "^${username}:" /etc/passwd 1>/dev/null 2>&1 ||
>            net user "${username}" 1> /dev/null 2>&1
>         then
>           [ -z "${first_account}" ] && first_account="${username}"
>           accounts="${accounts}'${username}' "
>         fi
>       done

Along these lines, yes.  I also think that using the cyg_server/
cron_server/sshd_server account should be preferred over SYSTEM on XP
and earlier systems, at least if they are domain member machines.  Maybe
simply like this:  The test should run on any OS, but if none of the
accounts exists, the fallback for XP and earlier is SYSTEM.  IIUC, that's
not quite what $csih_FORCE_PRIVILEGED_USER is for.  Yes?  No?

As for creating an account in a domain if it doesn't exists, that's
probably nothing which should be done in the script.  If this feature
is used, the domain admins should know what they are doing, I guess.

> However, note that at present there is no provision in csih to "decorate" 
> user names with domain information (e.g. username="MyDomain\cyg_server".  
> It /might/ work, if you manually set csih_PRIVILEGED_USERNAME that way, but 
> I haven't tested it -- and have no way to do so. It would be serendipitous 
> at best if that worked. But I'm not sure you really /need/ that -- if the 
> privileged domain user is in the active domain of the computer on which you 
> want to use that privileged account (e.g. to run sshd)...which I imagine is 
> the use case under consideration here...I don't think you really /need/ to 
> explicitly specify the domain.

That's not quite correct.  When specifying the user running a service,
you have to specify the full qualified user name.  If you just enter
the name w/o domain it fails with a "no such (local) account" sort of
message.

However, assuming the /etc/passwd entry for that user is correct, you
don't need to specify the domain because cygrunsrv translates the Cygwin
username to the Windows domain\username automatically.  So, using the
above egrep and using that user should be sufficient.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/