From: "Schutter, Thomas A." <tschutter@proxix.com>
To: <cygwin@cygwin.com>
Subject: RE: Unable to run sshd under a domain sshd_server account [SOLVED]
Date: Mon, 12 May 2008 21:32:00 -0000 [thread overview]
Message-ID: <3B3EFBD49B94AD4DBB7B7097257A8046DD020D@FDSVAST06SXCH01.flooddata.net> (raw)
> -----Original Message-----
> From: Schutter, Thomas A.
> Sent: Monday, May 12, 2008 9:52 AM
> To: 'cygwin@cygwin.com'
> Subject: Unable to run sshd under a domain sshd_server account
>
> I am having problems setting up sshd to run under a domain sshd_server
> account instead of a local sshd_server account.
>
> Why do I want to do that? Because in the default install, starting a
> cygwin shell from the console gives me a much different environment
and
> permissions than if I start a cygwin shell via ssh. For example, from
> a console shell on the Windows 2003 Server:
> $ echo $USER
> tschutter
> $ echo $USERNAME
> tschutter
> $ echo $HOSTNAME
> fdsvbld01sgrape
> $ echo $USERDOMAIN
> FLOODDATA
> $ id
> uid=18718(tschutter) gid=10513(Domain Users)
> groups=544(Administrators),545(Users),10513(Domain Users),18169(FDSV-
> GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins)
> $ ls //other/f$
> Data RECYCLER System\ Volume\ Information
>
> But when I login via ssh:
> $ echo $USER
> tschutter
> $ echo $USERNAME
> sshd_server
> $ echo $HOSTNAME
> fdsvbld01sgrape
> $ echo $USERDOMAIN
> FDSVBLD01SGRAPE
> $ id
> uid=18718(tschutter) gid=10513(Domain Users)
> groups=545(Users),10513(Domain Users)
> $ ls //other/f$
> ls: cannot access //other/f$: Permission denied
>
> The sshd server was setup using "ssh-host-config --yes". So it appears
> that when I login via ssh, I am logged in as a local user, not a
domain
> user. Also, when logged in via ssh, I am not in the Administrators,
> FDSV-GG-PrxBLD, and FDSV-GG-PrxPCAdmins groups. As a side note, I
> would think that USERNAME being set to sshd_server is a bug.
>
> It appears that the solution is to create a domain sshd_server account
> and run sshd as that user. So I created a domain account called
"fdsv-
> sa-prx-sshdsrvr". I gave this account the required rights:
> $ editrights -a SeCreateTokenPrivilege -u fdsv-sa-prx-sshdsrvr
> $ editrights -a SeTcbPrivilege -u fdsv-sa-prx-sshdsrvr
> $ editrights -a SeDenyInteractiveLogonRight -u fdsv-sa-prx-sshdsrvr
> $ editrights -a SeDenyNetworkLogonRight -u fdsv-sa-prx-sshdsrvr
> $ editrights -a SeDenyRemoteInteractiveLogonRight -u fdsv-sa-prx-
> sshdsrvr
> $ editrights -a SeIncreaseQuotaPrivilege -u fdsv-sa-prx-sshdsrvr
> $ editrights -a SeServiceLogonRight -u fdsv-sa-prx-sshdsrvr
>
> I added fdsv-sa-prx-sshdsrvr to local "Administrators" group.
>
> I changed the ownership of the /etc/ssh files and /var/empty:
> $ chown fdsv-sa-prx-sshdsrvr /etc/ssh* /var/empty
>
> I changed the log on account for the "CYGWIN sshd" service to the
fdsv-
> sa-prx-sshdsrvr account.
>
> I then tried to start the service:
> $ net start sshd
> The CYGWIN sshd service is starting.
> The CYGWIN sshd service could not be started.
>
> The service did not report an error.
>
> More help is available by typing NET HELPMSG 3534.
>
> The application event log has this error message:
> The description for Event ID ( 0 ) in Source ( sshd ) cannot be
> found. The local computer may not have the necessary registry
> information or message DLL files to display messages from a remote
> computer. You may be able to use the /AUXSOURCE= flag to retrieve this
> description; see Help and Support for details. The following
> information is part of the event: sshd: PID 2068: service `sshd'
> failed: signal 11 raised.
>
> I have attached the output from "cygcheck -s -v -r" as grape-
> cygcheck.out.
>
> So where do I go from here? What am I missing?
First, I am sorry that I broke the original thread. I was not
subscribed to the list when I made the first post, so I was unable to
reply to that thread.
I solved the problem. I had missed the /var/log files when changing
ownership to the new domain sshd_server account. The chown command
above should be:
chown fdsv-sa-prx-sshdsrvr /etc/ssh* /var/empty /var/log/lastlog
/var/log/sshd.log
Now the sshd server starts, and when I login my id is correct, and I can
view shares:
$ echo $USERDOMAIN
FLOODDATA
$ id
uid=18718(tschutter) gid=10513(Domain Users)
groups=544(Administrators),545(Users),10513(Domain
Users),18169(FDSV-GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins)
$ ls //other/f$
Data RECYCLER System\ Volume\ Information
Note that my USERNAME is still wrong:
$ echo $USERNAME
fdsv-sa-prx-sshdsrvr
Although this method of creating and using a domain sshd_server account
is not one of the recommended workarounds, it appears to work.
In the other thread, Larry Hall pointed me to the FAQ
http://cygwin.com/faq/faq-nochunks.html#faq.using.shares. One of the
suggestions was to "provide your password to a net use command". I was
unable to make that work, because "net use" never asks for my password:
$ net use \\other\f$
System error 67 has occurred.
The network name cannot be found.
As Larry Hall pointed out in the other thread, the cyglsa dll should
solve this problem and I look forward to trying it out when 1.7.x is
available. I am not ready to jump to snapshots at this time.
--
Tom Schutter
First American - Proxix Solutions
(512) 977-6822
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
next reply other threads:[~2008-05-12 21:06 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-12 21:32 Schutter, Thomas A. [this message]
2008-05-12 22:32 ` Igor Peshansky
2008-05-12 23:20 ` Schutter, Thomas A.
2008-05-12 23:24 ` Igor Peshansky
2008-05-13 3:32 ` Igor Peshansky
2008-05-13 16:09 ` Schutter, Thomas A.
2008-05-13 16:10 ` Larry Hall (Cygwin)
2008-05-13 16:29 ` Schutter, Thomas A.
2008-05-13 16:38 ` Larry Hall (Cygwin)
2008-05-13 16:49 ` Schutter, Thomas A.
2008-05-13 17:35 ` Larry Hall (Cygwin)
2008-05-13 17:59 ` Schutter, Thomas A.
2008-05-13 6:45 ` Christopher Faylor
2008-05-13 7:59 ` Corinna Vinschen
2008-05-13 16:22 ` Schutter, Thomas A.
2008-05-13 16:42 ` Corinna Vinschen
2008-05-13 16:57 ` Schutter, Thomas A.
2008-05-13 17:07 ` Corinna Vinschen
2008-05-13 17:24 ` Schutter, Thomas A.
2008-05-14 11:48 ` Corinna Vinschen
2008-06-16 21:03 ` Corinna Vinschen
2008-06-16 21:27 ` CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED]) Corinna Vinschen
2008-06-22 23:57 ` Corinna Vinschen
2008-07-19 16:52 ` Charles Wilson
2008-07-19 17:10 ` Corinna Vinschen
2008-07-19 20:47 ` Charles Wilson
2008-07-19 21:00 ` Charles Wilson
2008-07-20 12:26 ` Corinna Vinschen
2008-07-20 13:38 ` Corinna Vinschen
2008-08-05 1:32 ` Charles Wilson
2008-08-07 8:13 ` Corinna Vinschen
2008-08-07 15:38 ` Charles Wilson
2008-08-07 16:24 ` Corinna Vinschen
2008-08-07 16:42 ` Charles Wilson
2008-08-07 17:43 ` Corinna Vinschen
2008-08-07 17:53 ` Charles Wilson
2008-08-08 2:20 ` csih-0.1.6 available for testing [Was: Re: CSIH patch (Re: Unable to run sshd ...)] Charles Wilson
2008-08-15 19:39 ` Charles Wilson
2008-08-15 19:59 ` Yaakov (Cygwin Ports)
2008-08-18 11:24 ` Corinna Vinschen
2008-08-18 12:36 ` Charles Wilson
2008-08-18 12:53 ` Corinna Vinschen
2008-08-18 13:14 ` Charles Wilson
2008-08-18 13:16 ` Corinna Vinschen
2008-08-18 18:04 ` Charles Wilson
2008-08-18 13:33 ` Christopher Faylor
2008-08-18 14:12 ` Corinna Vinschen
2008-08-18 14:33 ` Christopher Faylor
2008-08-08 9:20 ` CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED]) Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3B3EFBD49B94AD4DBB7B7097257A8046DD020D@FDSVAST06SXCH01.flooddata.net \
--to=tschutter@proxix.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).