From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 28688 invoked by alias); 22 Jul 2015 21:50:14 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 28620 invoked by uid 89); 22 Jul 2015 21:50:13 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=4.6 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,SPF_SOFTFAIL autolearn=no version=3.3.2 X-HELO: smtp.ht-systems.ru Received: from smtp.ht-systems.ru (HELO smtp.ht-systems.ru) (78.110.50.177) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Wed, 22 Jul 2015 21:50:11 +0000 Received: from [95.165.144.62] (helo=darkdragon.lan) by smtp.ht-systems.ru with esmtpa (Exim 4.80.1) (envelope-from ) (Authenticated sender: postmaster@rootdir.org) id 1ZI1tt-0005Na-22 ; Thu, 23 Jul 2015 00:50:05 +0300 Received: from [192.168.1.10] (HELO daemon2.darkdragon.lan) by daemon2 (Office Mail Server 0.8.12 build 08053101) with SMTP; Wed, 22 Jul 2015 21:46:27 -0000 Date: Wed, 22 Jul 2015 21:50:00 -0000 From: Andrey Repin Reply-To: cygwin@cygwin.com Message-ID: <341710545.20150723004627@yandex.ru> To: Jarek , cygwin@cygwin.com Subject: Re: Cygwin ssh and Windows authentication In-Reply-To: References: <1301881165.20150720013859@yandex.ru> <1399485278.20150721032532@yandex.ru> <981419184.20150721233655@yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2015-07/txt/msg00352.txt.bz2 Greetings, Jarek! >>>>> So why are they not needed as your comment doesn't really explain that >>>> Read 1.7.35 changelog. >>>> In short, username resolution was completely reworked, thanks to Corinna, and >>>> Cygwin now directly address domain controllers for it. >>> OK so it addresses DCs to check some settings or priviliges. I don't >>> suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?' >> Indirectly, that can be done, i.e., by including a user in "SSH" group and >> allow only "DOMAIN+SSH" group to authorize on server. > I assume the group name is arbitrary and can be named anything. Of course. I have a generic "RemoteUsers" group for all users that allowed remote access (VPN, SSH, etc.) > I went thrugh local rights on my sshserver and I see the Everyone, and > Users local groups have Allow to access this computer via network. > I take it the 'Act as part of the OS','Create a token object' and > 'Replace a process level token' rights are only for the account running > the sshd service. Yes, these are only used by service itself, and not propagated to the users connected. >> Verbose logging from both client and server may give some insight, too. > Here is what I get from the logs on the client when attempting to > connect with WinSCP Try using only username to login. Without domain prefix. And disable other auth mechanics, while you are testing namely I see it trying GSSAPI, which wouldn't work unless explicitly configured and allowed. Please attach long listings as files or provide links to pastebin service of your choice. -- With best regards, Andrey Repin Thursday, July 23, 2015 00:42:20 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple