From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 26837 invoked by alias); 31 Aug 2006 17:01:38 -0000 Received: (qmail 26829 invoked by uid 22791); 31 Aug 2006 17:01:38 -0000 X-Spam-Check-By: sourceware.org Received: from lhall.prospeed.net (HELO localhost.localdomain) (64.25.83.123) by sourceware.org (qpsmtpd/0.31) with ESMTP; Thu, 31 Aug 2006 17:01:33 +0000 Received: from localhost ([127.0.0.1]) by localhost.localdomain with esmtp (Exim 4.63) (envelope-from ) id 1GIpuy-0006Qn-W4 for cygwin@cygwin.com; Thu, 31 Aug 2006 13:01:29 -0400 Message-ID: <44F715E7.6070609@cygwin.com> Date: Thu, 31 Aug 2006 17:21:00 -0000 From: "Larry Hall (Cygwin)" Reply-To: cygwin@cygwin.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.5) Gecko/20060727 Fedora/1.5.0.5-1.fc4.remi Thunderbird/1.5.0.5 Mnenhy/0.7.4.0 MIME-Version: 1.0 To: cygwin@cygwin.com Subject: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth) References: <44F5FD93.1020503@asperasoft.com> <20060831161354.GR20467@calimero.vinschen.de> In-Reply-To: <20060831161354.GR20467@calimero.vinschen.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com X-SW-Source: 2006-08/txt/msg01089.txt.bz2 Corinna Vinschen wrote: > On Aug 30 14:05, Serban Simu wrote: >> So my questions would be: >> >> (1) I did find a work around, but what is the explanation of this >> problem and what is a good, solid work around? > > After some debugging I found that the explanation is that sshd drops > all supplementary groups from the otherwise privileged user token. > This results in a minimized user token when calling initgroups, which > in turn calls NetUserGetGroups, which in turn returns "Access denied". > The solution is to drop back to the original process token before > calling NetUserGetGroups from initgroups. I've checked in a patch > which should be available in the next developers snapshot from > http://cygwin.com/snapshots/ > > A solid workaround if you're trying to get the same with the current > Cygwin: Add all users which want to log in this way to the gr_mem > field of the approrpiate groups in /etc/group. In your example case, > it would look like this: > > Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:test1 Nice work! I recommend a new gold star! :-) -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746 -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/