From: "Fermin Sanchez" <fermin@fermin.ch>
To: <cygwin@cygwin.com>
Subject: sshd on W2K3 Domain Controller: Solution
Date: Sat, 06 Sep 2003 18:31:00 -0000 [thread overview]
Message-ID: <99AE13FA0F1F824AA6D299741FE6C82F8EC4@dcp1.home.fermin.ch> (raw)
Hello
I just wanted to share the solution which finally let me run the sshd on
a Windows 2003 Domain Controller. Essentially, thanks to Corinna
Vinschen, it now works.
The details:
1. Create a new account, DO NOT name it "sshd" - I used "sshdService"
2. Add the account to the (domain local) "Administrators" group
3. Open "Active Directory Users and Computers", navigate to the "Domain
Controllers" OU -> Properties, open "Default Domain Controllers Policy".
Go to Computer Configuration -> Windows Settings -> Security Settings
->Local Policies -> User Rights Assignment. There, in the right hand
pane, doubleclick on "Create a token object" and add the "sshdService"
account. IMPORTANT: Doing this in the local security policy won't
accomplish a thing, since the settings in this group policy override any
local policy settings!
4. Install cygwin, run "ssh-host-config -y", select at least "ntsec"
security setting.
5. In Windows, open the properties of the Cygwin SSHD Service and change
the login account to "sshdService". You should get a message saying that
"sshdService" has been granted "logon as a service" right. You could
have assigned that right manually in 3.) as well.
6. chmod 740 /etc/profile (ls -l on /etc/profile showed rights
-rwx------); until now, "740" seems to work, no need to "770".
7. chmod 770 /etc/ssh_host*key (this is quick and very dirty, since it
gives the "Domain Users" group read and write access to the keys. Chown
might be the better approach)
8. chown sshdService /var/empty (/var/log/sshd.log showed "/var/empty
must be owned by root and not group or world-writable."; was owned by
SYSTEM. The error must be because sshd now doesn't run under SYSTEM
account any more).
sshd has been running for several hours now, including one reboot just
to see if it really, really likes me now ;-). There are still one or two
minor issues, though, I'll put them in an additional mail just to keep
this one "clean".
Thank you again all for your help.
Fermin
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
reply other threads:[~2003-09-06 18:31 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=99AE13FA0F1F824AA6D299741FE6C82F8EC4@dcp1.home.fermin.ch \
--to=fermin@fermin.ch \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).