From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 92650 invoked by alias); 13 Mar 2019 09:04:23 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 92640 invoked by uid 89); 13 Mar 2019 09:04:23 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-102.1 required=5.0 tests=AWL,BAYES_00,GOOD_FROM_CORINNA_CYGWIN,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 spammy=password, H*F:D*cygwin.com, passwords, services X-HELO: mout.kundenserver.de Received: from mout.kundenserver.de (HELO mout.kundenserver.de) (212.227.17.13) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 13 Mar 2019 09:04:20 +0000 Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue107 [212.227.15.183]) with ESMTPSA (Nemesis) id 1MaIGB-1ha99b2Cgf-00WEgS for ; Wed, 13 Mar 2019 10:04:18 +0100 Received: by calimero.vinschen.de (Postfix, from userid 500) id 1E7B6A80422; Wed, 13 Mar 2019 10:04:18 +0100 (CET) Date: Wed, 13 Mar 2019 09:04:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: can't access remote shares when using ssh with rsa key - passwd -R / set(e)uid / LogonUser is not working as expected Message-ID: <20190313090418.GT3785@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <20190306122816.GP3785@calimero.vinschen.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ZATCr4BkWovzAAkA" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.3 (2019-02-01) X-SW-Source: 2019-03/txt/msg00342.txt.bz2 --ZATCr4BkWovzAAkA Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 2574 Please, don't top-post. On Mar 13 08:31, Maayan Apelboim wrote: >> From: Corinna Vinschen >> Sent: Wednesday, March 6, 2019 2:28 PM >> To: cygwin@cygwin.com >> Subject: Re: can't access remote shares when using ssh with rsa key - pa= sswd -R / set(e)uid / LogonUser is not working as expected >>=20 >> On Mar 6 10:09, Maayan Apelboim wrote: >> > Well, it doesn't work OK unfortunately, but I'm not sure if I missed s= omething in the process, or is it just not working properly. >> > I'm a bit worried to upgrade to 3.0.2 at the moment cause it's a major= version and will probably have new bugs that I wouldn't want to find in pr= oduction. >> >=20 >> > Assuming we will eventually upgrade to latest version - My sshd=20 >> > service is running with domain user cyg_server and we login with domai= ns users via ssh - is it still OK to switch the sshd service's user to loca= l system? >> > Will we still be able to login with domain users via ssh? >>=20 >> Yes, that's the idea. The new method using the official S4U logon techn= ique runs under the SYSTEM account. No need to have a special cyg_server a= ccount with potentially dangerous privileges anymore. >>=20 >> > Will it help with my network shares problem? >>=20 >> No. Just like the old techniques using an LSA authentication module or = creating a user token from scratch, S4U login does not create tokens with v= alid network credentials. For some weird reason only Microsoft knows about= , you still need a password login for that. >>=20 >> The other method, logging in by stored password, as described in >> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd3 still works,= though. >> > Hi, >=20 > I appreciate your detailed response, however, stored passwords doesn't wo= rk properly. > I've read the article and ran passwd -R as described - no errors generate= d and I was able to find the relevant registry entry after running the comm= and, but still can't access network shares (access denied). > When I login with password network shares are available. When you login with stored password, Cygwin performs the same LogonUser call as if you login with password, so the same user token is generated. Off the top of my head I don't know why it shouldn't work for you. You sure you have the correct password stored? When you login and call `id', what does it print? Does it contain the "interactive" group or the "network" group? If the latter, then the internal LogonUser call performed with stored password failed for some reason. Corinna --=20 Corinna Vinschen Cygwin Maintainer --ZATCr4BkWovzAAkA Content-Type: application/pgp-signature; name="signature.asc" Content-length: 833 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlyIx5EACgkQ9TYGna5E T6Cfnw//RpXGnxc4ezUwI1msDR2bsbGcI8oJxMscQKqueXwdW/np0+cn+/JpU5h8 +/3K44nk4TCyBd9LHKPRdE+Qu5AB5C7m4MyU6dyMrqwefwLeevqIlop7OXHEr1JN ArvDcPRzfEWmFrMlvsVm2qy4Gn81NLmcDazK/OE6ztFcXxLwezZNAN6yoLdx1QCp TAhNbUGj5HIInB4ACWLBJYaIjLFOveWnfJU/NLBtHFnPZcgidQpacHsZ4VhbEhs8 /O52D0itKvg8EtXOg5STeS6yQeeAAlh9jOeyVhwPjsARhxsbiKedaIo8SdhG52Xk K7vD5/susZCgq79prpnMXZ5rZ2v7oP62BKjQXsWiOuBXeBUDUAfJRxH1VH9NEJBp GmLsiYZIMTPOrLQK6cK5zPDw0bBu2HJTrLLD37aJBNdU3o/UqrKKXr0ktj7X8tHH VJNEdee5UuQbcRp2kwdtEYw6VCkXko+r0M9ZeHYkfultpjLVMCY6ADbxIlDx/sbQ nJsZL2TngR7FhScBQFwjWvkhcq4Ddf/AYf3uur8psZbdPn9QlzRHHiz29akYyMjb noexHiuaBEfl1yx79FHvRhMts9bLEBoP/Zi1XSEID61CH5hRtX7gDwyydi3iIZrA EZLa5GyyP48GbFO9xvpiRuBc3wZm3boMIxrr69ur0OKsSLWvUuw= =M3Ov -----END PGP SIGNATURE----- --ZATCr4BkWovzAAkA--