From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: sshd problem on WS2008R2 64bit
Date: Wed, 06 Mar 2019 20:59:00 -0000 [thread overview]
Message-ID: <20190306205931.GC3785@calimero.vinschen.de> (raw)
In-Reply-To: <CANV9t=RtsR8+KZ68QirxfiU9w_sGk9QnQejEyJVeBcrdiuOq0w@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2905 bytes --]
On Mar 6 13:47, Bill Stewart wrote:
> On Wed, Mar 6, 2019 at 1:14 PM Corinna Vinschen wrote:
>
> > > > > What precisely happens when Cygwin uses MSV1 S4ULogon on versions
> older
> > > > > than 6.3 before a user has logged on?
> > > >
> > > > MsV1S4ULogon returns with STATUS_NOT_SUPPORTED. Funny status code,
> > > > given it works if some user already logged in by other means...
> > >
> > > OK, so here's another potential workaround that doesn't require running
> the
> > > service as a specific user...
> > >
> > > Create a scheduled task to run using the following settings:
> > >
> > > General -> Run using user account - > choose a local account
> > > General -> "Run whether user is logged on or not"
> > > Triggers -> Run at system startup
> > > Actions -> Start a program -> Program/script:
> %SystemRoot%\Cystem32\cmd.exe
> > > Actions -> Start a program -> Add arguments: /c exit
> > >
> > > Full password logon is required (seems we can't use "do not store
> password"
> > > option).
> > >
> > > The local account does not have to be a member of Administrators, but it
> > > does require user right "Log on as a batch job" (SeBatchLogonRight).
> > >
> > > In my prefunctory testing this seems to fix this problem.
> > >
> > > Does this work?
> >
> > This does indeed work in my local testing on Windows 7, with a local
> > dummy user just for this scheduled job and sshd running under SYSTEM.
> >
> > Now, if that's a feasible workaround for users of these older
> > systems...?
>
> Good -- this works for me also. (My wild guess, which may be wrong, is that
> the older OS versions don't initialize MSV1 S4ULogon for some reason until
> somebody logs on.)
>
> Whether this workaround is feasible likely depends on the end user. The
> workaround has its own limitations. Here are at least 2 that I can think of
> right now:
>
> 1. The local user must have "Log on as a batch job" (SeBatchLogonRight)
> user right.
>
> 2. The "Network access: Do not allow storage of passwords and credentials
> for network authentication" security policy must be set to "Disabled". (If
> this policy is set to "Enabled", then you can't create scheduled tasks with
> stored passwords.)
>
> It's a weird problem. The best option would be for Microsoft to provide a
> fix (if we can provide a short example program that reproduces it).
I'm reasonably sure there won't be any fix for these systems for at
least two reasons:
- All affected systems are EOLed or in the last year of their Extended
Support Cycle, all ending on 2020-01-14.
- I opened a support case for an older Windows release a couple of years
ago. A fix for the problem has been refused because the problem was
fixed in the newer OS. I got told literally that the fix is to upgrade
to the newer OS.
Corinna
--
Corinna Vinschen
Cygwin Maintainer
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2019-03-06 20:59 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-06 1:03 Stephen Carrier
2019-03-06 12:12 ` Corinna Vinschen
2019-03-06 12:48 ` Corinna Vinschen
2019-03-06 14:17 ` Corinna Vinschen
2019-03-06 14:34 ` Corinna Vinschen
2019-03-06 15:30 ` Bill Stewart
2019-03-06 15:34 ` Corinna Vinschen
2019-03-06 15:59 ` Bill Stewart
2019-03-06 16:45 ` Bill Stewart
2019-03-06 20:13 ` Corinna Vinschen
2019-03-06 20:48 ` Bill Stewart
2019-03-06 20:59 ` Corinna Vinschen [this message]
2019-03-06 21:25 ` Bill Stewart
2019-03-06 23:44 ` Stephen Paul Carrier
2019-03-06 23:54 ` Stephen Paul Carrier
2019-03-07 6:15 ` Brian Inglis
2019-03-07 8:54 ` Corinna Vinschen
2019-03-07 14:04 ` Brian Inglis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190306205931.GC3785@calimero.vinschen.de \
--to=corinna-cygwin@cygwin.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).