From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 22970 invoked by alias); 6 Mar 2019 20:13:45 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 22961 invoked by uid 89); 6 Mar 2019 20:13:45 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=0.8 required=5.0 tests=BAYES_00,DNS_FROM_AHBL_RHSBL,RCVD_IN_DNSWL_NONE,TIME_LIMIT_EXCEEDED autolearn=unavailable version=3.3.1 spammy=H*F:D*cygwin.com, password X-HELO: mout.kundenserver.de Received: from mout.kundenserver.de (HELO mout.kundenserver.de) (212.227.17.24) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 06 Mar 2019 20:13:35 +0000 Received: from calimero.vinschen.de ([217.91.18.234]) by mrelayeu.kundenserver.de (mreue108 [212.227.15.183]) with ESMTPSA (Nemesis) id 1N4i7l-1guvcp1QdL-011mOm for ; Wed, 06 Mar 2019 21:13:32 +0100 Received: by calimero.vinschen.de (Postfix, from userid 500) id 990FDA80425; Wed, 6 Mar 2019 21:13:31 +0100 (CET) Date: Wed, 06 Mar 2019 20:13:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: sshd problem on WS2008R2 64bit Message-ID: <20190306201331.GB3785@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <20190306010254.GA4210@zebra> <20190306121154.GN3785@calimero.vinschen.de> <20190306124816.GR3785@calimero.vinschen.de> <20190306141716.GS3785@calimero.vinschen.de> <20190306143424.GU3785@calimero.vinschen.de> <20190306153404.GX3785@calimero.vinschen.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="R10gueRtU1pFqy+X" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.3 (2019-02-01) X-SW-Source: 2019-03/txt/msg00117.txt.bz2 --R10gueRtU1pFqy+X Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 2601 On Mar 6 09:45, Bill Stewart wrote: > On Wed, Mar 6, 2019 at 8:34 AM Corinna Vinschen wrote: >=20 > > On Mar 6 08:38, Bill Stewart wrote: > > > On Wed, Mar 6, 2019 at 7:34 AM Corinna Vinschen wrote: > > > > On Mar 6 15:17, Corinna Vinschen wrote: > > > > > But the old Systems like Windows 7 don't want to play nice. > > > > > > > > > > - On Vista and Windows 7 WOW64, MsV1_0S4ULogon isn't implemented > > > > > at all, which required to keep the create_token method > > > > > available > > > > > > > > > > - On Vista and Windows 7 MsV1_0S4ULogon does not work without > > > > > some user logged in locally, even if it's just the cyg_server > > > > > service account. > > > > > > > > FTR, Windows 8 / Server 2012 is affected as well, > > > > Windows 8.1 / Server 2012 R2 is not. > > > > > > > > > > Question is, what is a good solution? Reverting cyglsa as > > > > > well to allow the old methods to work as before? This is > > > > > the opposite of what I had hoped to accomplish :( > > > > > > I agree that the new S4U logon method is by far the best solution. > > > > > > It seems to me that this MSV1 S4ULogon behavior on versions older than > NT > > > 6.3 (Vista/Srv2008/Win7/Srv2008R2/Win8/Srv2012) is not expected. > > > > > > What precisely happens when Cygwin uses MSV1 S4ULogon on versions old= er > > > than 6.3 before a user has logged on? > > > > MsV1S4ULogon returns with STATUS_NOT_SUPPORTED. Funny status code, > > given it works if some user already logged in by other means... >=20 > OK, so here's another potential workaround that doesn't require running t= he > service as a specific user... >=20 > Create a scheduled task to run using the following settings: >=20 > General -> Run using user account - > choose a local account > General -> "Run whether user is logged on or not" > Triggers -> Run at system startup > Actions -> Start a program -> Program/script: %SystemRoot%\Cystem32\cmd.e= xe > Actions -> Start a program -> Add arguments: /c exit >=20 > Full password logon is required (seems we can't use "do not store passwor= d" > option). >=20 > The local account does not have to be a member of Administrators, but it > does require user right "Log on as a batch job" (SeBatchLogonRight). >=20 > In my prefunctory testing this seems to fix this problem. >=20 > Does this work? This does indeed work in my local testing on Windows 7, with a local dummy user just for this scheduled job and sshd running under SYSTEM. Now, if that's a feasible workaround for users of these older systems...? Thanks, Corinna --=20 Corinna Vinschen Cygwin Maintainer --R10gueRtU1pFqy+X Content-Type: application/pgp-signature; name="signature.asc" Content-length: 833 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlyAKesACgkQ9TYGna5E T6BXwA//ZlFn6sHfb7+8l0UCJv1MC5Vl4QbaCGzmeLaiYnn9WUMcQDIlpiglmxVk DS4940LOxDbQBz2SLyOelBLLqpqNlGx8mbeMsCLOFg0DJbluBq4hLSMwcXiZyIjC sP/du4zjE73H0AVnFj+c6Kbr00FCtXqvh6JNy2zgAhLCRrUgtzOk/MX8+g1SPBOn 0XD+zRvtvULuXlRbyV72H3xLoAn9AvIZLj9Mgj30WrZKaycRCgc9tnKTwPO0EDol wkYYhkG4JdXExQ1v5XZe8pMGuR0Zoo6fxH1Igr5kQCaslT1vA+IELAA+2YYAiyoa VhKpfPtok6OCnUi8kzjtAr/h9gbTeUkvu9ZyMZrHL1TCfDyaKxicxv0MhBqwhC5I C5bUhZQepLyHPbNyhKHLih9w7ED0jlRToOxsY0iYFTlR58y57YZ40Vi93oKxQkY+ KkRO2ULfH72AHTcD+VslJsdzzmPbNsGdVniM9S25z1uWTdT+jbQR7z6eawVmTVeG iCOlcTlQQgG6cn1wG9aKdaR1Ta+ogki8a2+qdQNNX7UmSsDOvcTcuDfUQCdfCvpk dXnB3nvJ30SbZUp5eUkNTrp5CvBvhNN28+NXX7pDH2bxPe3wcNHFBvLYG7GzIHgq kgVNatDozWpGIHSP5gY3fZKCIlqWGNTR484PXWc4pibD15kKyvk= =IPTg -----END PGP SIGNATURE----- --R10gueRtU1pFqy+X--