From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 87651 invoked by alias); 14 Mar 2019 11:11:32 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 87644 invoked by uid 89); 14 Mar 2019 11:11:31 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-104.7 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2,GOOD_FROM_CORINNA_CYGWIN,KAM_ASCII_DIVIDERS,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 spammy=strace, username, NETWORK, password X-HELO: mout.kundenserver.de Received: from mout.kundenserver.de (HELO mout.kundenserver.de) (217.72.192.74) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 14 Mar 2019 11:11:30 +0000 Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue109 [212.227.15.183]) with ESMTPSA (Nemesis) id 1MTznQ-1hUGr73XSk-00R3pP for ; Thu, 14 Mar 2019 12:11:27 +0100 Received: by calimero.vinschen.de (Postfix, from userid 500) id 2E49AA80746; Thu, 14 Mar 2019 12:11:27 +0100 (CET) Date: Thu, 14 Mar 2019 11:11:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: can't access remote shares when using ssh with rsa key - passwd -R / set(e)uid / LogonUser is not working as expected Message-ID: <20190314111127.GF3785@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <20190313090418.GT3785@calimero.vinschen.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="2W4wSx0jmTCcLO7w" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.3 (2019-02-01) X-SW-Source: 2019-03/txt/msg00365.txt.bz2 --2W4wSx0jmTCcLO7w Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 3142 On Mar 14 10:41, Maayan Apelboim wrote: >=20 > When you login with stored password, Cygwin performs the same > LogonUser call as if you login with password, so the same user token > is generated. >=20 > Off the top of my head I don't know why it shouldn't work for you. > You sure you have the correct password stored? When you login and > call `id', what does it print? Does it contain the "interactive" > group or the "network" group? If the latter, then the internal > LogonUser call performed with stored password failed for some reason. >=20 >=20 > Corinna >=20 > -- > Corinna Vinschen > Cygwin Maintainer >=20 > -------------------------------------------------------------------------= -------------- >=20 > Yes, I'm sure I used the correct password, I use it all the time and I > also tried running passwd -R multiple times in case I entered it > wrongly. I'm not sure what are "interactive" & "network" groups - do > you mean literally groups called network & interactive? Either way - Yes. > I'm always getting a group named "interactive" among other groups - > either with password ssh or with RSA - never "network" I do have some > different groups when running id - comparing password ssh and RSA ssh. If password auth or `passwd -R' auth is used you'll have the "4(INTERACTIVE)" group in your `id' output. If S4ULogon is used you'll have the "2(NETWORK)" group in your `id' output. This is one way to identify which logon method has been used. > Also, when I run mkpasswd -d when I log in with password, it generates > users from the domain, comparing RSA ssh that generates only a few > entries unrelated to my domain.. You don't need mkpasswd anymore. Use `getent passwd' instead. But... given you're using mkpasswd at all, I wonder if you still have /etc/passwd and/or /etc/group files. If so, move them out of the way and restart your CYgwin processes. They are not required and may even result in problems if they have been tweaked. If you still have these files, removing them is the first thing to try. > I think the same as you (also mentioned in the email title :) ) that > the LogonUser call doesn't work as expected. Is there a way to verify > it? Any logs I can check? Would it help if I'll send the different > groups I'm getting? Other groups than NETWORK or INTERACTIVE don't matter, as explained above. The only reasons I can think of that LogonUser doesn't work is that your username, domainname, or password are incorrect, or your account is disabled. I never saw the call fail for any other reason. For debugging, you would have to call the sshd service under strace. That would give a hint. For that you should change the sshd service call in the registry so that `/usr/sbin/sshd -D' is replaced with `/usr/bin/strace -o /tmp/sshd.trace /usr/sbin/sshd -d'. Note the lowercase -d, which runs sshd in debug mode. After the first logon, sshd will terminate itself automatically. Afterwards you should send the /tmp/sshd.trace file here for inspection. You can obfuscate sensitive info, but the gist of the file should stay intact. Corinna --=20 Corinna Vinschen Cygwin Maintainer --2W4wSx0jmTCcLO7w Content-Type: application/pgp-signature; name="signature.asc" Content-length: 833 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlyKNt8ACgkQ9TYGna5E T6APeg//Xp9mBZ3HQfMil2V5byYtmjtl3xv25cJnRayb7ezOQVmTGHddiN2dbmNG GClEJr2FpV25PkFqFY7SnjBLv8aUCCXBZJnkOSU4rt/yNZOTrBycsih14PaNuZfA SqsupKgLLXuis4nMX6zgG1ob2K55j927t8HEuoPGqgCUgwpIMfdkh3M6SqM9288z wcQkszTk7MRSLPA7qc/LMMdsMvu4gyS5eh5tEd2olS2E+NeLIYRhN7mrJTlFfdvS RvvTZMOPSyZOjUHzSCOH7GCVR/HeULbo4sMTH+2qS3yLh2ho6KUZNLN5VJ1WgmUe wmf3Up6Ugs8XRFm4UhcrMK/cRoZDdBy8nKR7zdnYe62lRRu2kA428cpf5OeFVuSH ExrSjr6Ycs/5iNH/KEalwkbyjYyf0QvM21LK70FBMYFuUpNxcKdD/V9zebI/TOmh v9mIBaaUhl8puWofrn+7QCbt6uKygwZv5R+gPjL0KSfFA1GlyG8xWJ3oXITzi3F/ ANA8DhfFL+bxekSrhxLjlUglr3VIvOxLd/GkQkjLcP++ftg0eXi7FPn6lZadcO7o /CANW1ggXPFH8Hsju68ZFXUmRMoS9dn7hyqiFibiFYryjgOgZ4GLaQn7hbUDcH1P GUrUJ9/GERmFrZx+7ssbbCZUpT6wfF3h4jzEkkbDLuHzNkH7JDU= =mKsS -----END PGP SIGNATURE----- --2W4wSx0jmTCcLO7w--