From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cygwin-return-142907-listarch-cygwin=sourceware.org@cygwin.com>
Received: (qmail 1869 invoked by alias); 19 Jul 2008 16:52:19 -0000
Received: (qmail 1859 invoked by uid 22791); 19 Jul 2008 16:52:18 -0000
X-Spam-Check-By: sourceware.org
Received: from out3.smtp.messagingengine.com (HELO out3.smtp.messagingengine.com) (66.111.4.27)     by sourceware.org (qpsmtpd/0.31) with ESMTP; Sat, 19 Jul 2008 16:51:54 +0000
Received: from compute1.internal (compute1.internal [10.202.2.41]) 	by out1.messagingengine.com (Postfix) with ESMTP id 5F39913A9DC 	for <cygwin@cygwin.com>; Sat, 19 Jul 2008 12:51:52 -0400 (EDT)
Received: from heartbeat2.messagingengine.com ([10.202.2.161])   by compute1.internal (MEProxy); Sat, 19 Jul 2008 12:51:52 -0400
Received: from [192.168.1.3] (user-0c6suln.cable.mindspring.com [24.110.122.183]) 	by mail.messagingengine.com (Postfix) with ESMTPSA id E28F22D766; 	Sat, 19 Jul 2008 12:51:51 -0400 (EDT)
Message-ID: <48821B9F.6070907@cwilson.fastmail.fm>
Date: Sat, 19 Jul 2008 16:52:00 -0000
From: Charles Wilson <cygwin@cwilson.fastmail.fm>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.14) Gecko/20080421 Thunderbird/2.0.0.14 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: cygwin@cygwin.com
Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server  	account [SOLVED])
References: <3B3EFBD49B94AD4DBB7B7097257A8046DD020D@FDSVAST06SXCH01.flooddata.net> <Pine.GSO.4.63.0805121820090.11953@access1.cims.nyu.edu> <20080513073720.GA22193@calimero.vinschen.de> <3B3EFBD49B94AD4DBB7B7097257A8046DD02FC@FDSVAST06SXCH01.flooddata.net> <20080616210105.GI731@calimero.vinschen.de> <20080616211352.GK731@calimero.vinschen.de>
In-Reply-To: <20080616211352.GK731@calimero.vinschen.de>
Content-Type: multipart/mixed;  boundary="------------000100010301000108020500"
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
X-SW-Source: 2008-07/txt/msg00414.txt.bz2

--------------000100010301000108020500
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-length: 748

Corinna Vinschen wrote:
> Oh, btw., Charles, that's one for you.
> 
> On Jun 16 23:01, Corinna Vinschen wrote:
>> On May 13 11:09, Schutter, Thomas A. wrote:
>> The problem was that the domain sshd_server account has no right to
>> access the domain controller from the network.  Solution: Open the Local
>> Security Policy of the DC and look for the User Right "Deny access to
>> this computer from the network".  You'll find your sshd_server user in
>> there.  Remove it from this user right.  Try again:
> 
> This user right shouldn't be set anymore in the
> csih/cygwin-service-installation-helper.sh script.  Patch follows:
> 
> 	* Don't disallow network logon for service user account.

Here's the patch I applied, for csih-0.1.5:

--
Chuck


--------------000100010301000108020500
Content-Type: text/plain;
 name="csih-rights.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="csih-rights.patch"
Content-length: 2246

diff -u -r1.7 -r1.8
--- cygwin-service-installation-helper.sh	14 Apr 2008 18:36:05 -0000	1.7
+++ cygwin-service-installation-helper.sh	19 Jul 2008 16:40:31 -0000	1.8
@@ -1636,14 +1636,13 @@
           # user not in Administrators group
           return 1
         else
-          editrights -l -u "${user}" | fgrep SeAssignPrimaryTokenPrivilege     >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeCreateTokenPrivilege            >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeTcbPrivilege                    >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeDenyInteractiveLogonRight       >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeDenyNetworkLogonRight           >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeDenyRemoteInteractiveLogonRight >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeIncreaseQuotaPrivilege          >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeServiceLogonRight               >/dev/null 2>&1
+          editrights -u "${user}" -t SeAssignPrimaryTokenPrivilege     >/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeCreateTokenPrivilege            >/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeTcbPrivilege                    >/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeDenyInteractiveLogonRight       >/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeDenyRemoteInteractiveLogonRight >/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeIncreaseQuotaPrivilege          >/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeServiceLogonRight               >/dev/null 2>&1
           return # status of previous command-list
         fi
       fi
@@ -2106,7 +2105,6 @@
         editrights -a SeCreateTokenPrivilege -u ${username} &&
         editrights -a SeTcbPrivilege -u ${username} &&
         editrights -a SeDenyInteractiveLogonRight -u ${username} &&
-        editrights -a SeDenyNetworkLogonRight -u ${username} &&
         editrights -a SeDenyRemoteInteractiveLogonRight -u ${username} &&
         editrights -a SeIncreaseQuotaPrivilege -u ${username} &&
         editrights -a SeServiceLogonRight -u ${username} &&


--------------000100010301000108020500
Content-Type: text/plain; charset=us-ascii
Content-length: 218

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/
--------------000100010301000108020500--