* second exec channel cannot access windows share (open-ssh)
@ 2013-10-04 7:26 gaillard
2013-10-04 17:16 ` Larry Hall (Cygwin)
0 siblings, 1 reply; 4+ messages in thread
From: gaillard @ 2013-10-04 7:26 UTC (permalink / raw)
To: cygwin
Hi,
My company uses cygwin to enable client users to access an application through
open-ssh server via an ssh exec-channel. After the session connects fine, the
firstly created exec channel is able to access the mounted shares installed on
the box (in my test a Windows Server 2008 R2).
The issue comes when opening the second exec channel that is not able to access
the shares.
From the tests I made the second channel is not impersonating the user correctly
since it happears the application process runs as "Local System" which would
explain the issue.
The open-ssh service is installed under a special user account that runs with the
following settings in local security policy:
- adjust memory quotas for a process
- create a token object
- logon as a service
- replace a process level token
I tried to add this but without success:
- impersonate a client after authentication
I've also read the doc "Using Windows Security in Cygwin" but I'm unsure of the
correct diagnostic for the problem: wrong setting (do I need to use LSA
authentication)
or is it a bug?
Any advice will be appreciated.
Thanks,
--Gilles
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: second exec channel cannot access windows share (open-ssh)
2013-10-04 7:26 second exec channel cannot access windows share (open-ssh) gaillard
@ 2013-10-04 17:16 ` Larry Hall (Cygwin)
2013-10-07 8:05 ` gaillard
0 siblings, 1 reply; 4+ messages in thread
From: Larry Hall (Cygwin) @ 2013-10-04 17:16 UTC (permalink / raw)
To: cygwin
On 10/4/2013 3:26 AM, gaillard wrote:
> Hi,
>
> My company uses cygwin to enable client users to access an application through
> open-ssh server via an ssh exec-channel. After the session connects fine, the
> firstly created exec channel is able to access the mounted shares installed on
> the box (in my test a Windows Server 2008 R2).
> The issue comes when opening the second exec channel that is not able to access
> the shares.
>
> From the tests I made the second channel is not impersonating the user
> correctly
> since it happears the application process runs as "Local System" which would
> explain the issue.
>
> The open-ssh service is installed under a special user account that runs
> with the
> following settings in local security policy:
> - adjust memory quotas for a process
> - create a token object
> - logon as a service
> - replace a process level token
>
> I tried to add this but without success:
> - impersonate a client after authentication
>
> I've also read the doc "Using Windows Security in Cygwin" but I'm unsure of the
> correct diagnostic for the problem: wrong setting (do I need to use LSA
> authentication)
> or is it a bug?
>
> Any advice will be appreciated.
If you have passwords on your shares (and it sounds like you do), then
your only real altrernative is the third option as described in the
Users Guide:
<http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd3>
--
Larry
_____________________________________________________________________
A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Re: second exec channel cannot access windows share (open-ssh)
2013-10-04 17:16 ` Larry Hall (Cygwin)
@ 2013-10-07 8:05 ` gaillard
2013-10-07 16:26 ` Larry Hall (Cygwin)
0 siblings, 1 reply; 4+ messages in thread
From: gaillard @ 2013-10-07 8:05 UTC (permalink / raw)
To: cygwin
Thanks. Yes there are passwords on shares.
What confuses me is that it works on the first invocation of exec channel.
Is there any reason why it works then ?
On 10/4/2013 7:16 PM, Larry Hall (Cygwin) wrote:
> On 10/4/2013 3:26 AM, gaillard wrote:
>> Hi,
>>
>> My company uses cygwin to enable client users to access an application through
>> open-ssh server via an ssh exec-channel. After the session connects fine, the
>> firstly created exec channel is able to access the mounted shares installed on
>> the box (in my test a Windows Server 2008 R2).
>> The issue comes when opening the second exec channel that is not able to access
>> the shares.
>>
>> From the tests I made the second channel is not impersonating the user
>> correctly
>> since it happears the application process runs as "Local System" which would
>> explain the issue.
>>
>> The open-ssh service is installed under a special user account that runs
>> with the
>> following settings in local security policy:
>> - adjust memory quotas for a process
>> - create a token object
>> - logon as a service
>> - replace a process level token
>>
>> I tried to add this but without success:
>> - impersonate a client after authentication
>>
>> I've also read the doc "Using Windows Security in Cygwin" but I'm unsure of the
>> correct diagnostic for the problem: wrong setting (do I need to use LSA
>> authentication)
>> or is it a bug?
>>
>> Any advice will be appreciated.
>
> If you have passwords on your shares (and it sounds like you do), then
> your only real altrernative is the third option as described in the
> Users Guide:
>
> <http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd3>
>
>
--
Gilles Gaillard
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: second exec channel cannot access windows share (open-ssh)
2013-10-07 8:05 ` gaillard
@ 2013-10-07 16:26 ` Larry Hall (Cygwin)
0 siblings, 0 replies; 4+ messages in thread
From: Larry Hall (Cygwin) @ 2013-10-07 16:26 UTC (permalink / raw)
To: cygwin
On 10/7/2013 4:04 AM, gaillard wrote:
> Thanks. Yes there are passwords on shares.
>
> What confuses me is that it works on the first invocation of exec channel.
> Is there any reason why it works then ?
There are some corner cases where this might work for an individual user
(i.e. the one that's running the service for instance). But those have
limitations as well. My guess is you're seeing one of those corner cases.
--
Larry
_____________________________________________________________________
A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-10-07 16:26 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-10-04 7:26 second exec channel cannot access windows share (open-ssh) gaillard
2013-10-04 17:16 ` Larry Hall (Cygwin)
2013-10-07 8:05 ` gaillard
2013-10-07 16:26 ` Larry Hall (Cygwin)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).