From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 34696 invoked by alias); 2 Aug 2015 12:47:59 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 34686 invoked by uid 89); 2 Aug 2015 12:47:59 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.3 required=5.0 tests=AWL,BAYES_40,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RP_MATCHES_RCVD,SPF_PASS autolearn=ham version=3.3.2 X-HELO: BLU004-OMC1S8.hotmail.com Received: from blu004-omc1s8.hotmail.com (HELO BLU004-OMC1S8.hotmail.com) (65.55.116.19) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-SHA256 encrypted) ESMTPS; Sun, 02 Aug 2015 12:47:57 +0000 Received: from BLU437-SMTP107 ([65.55.116.8]) by BLU004-OMC1S8.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Sun, 2 Aug 2015 05:47:55 -0700 X-TMN: [g3nRyBhvduq0rlcbkgHozrIMeq8di1B1] Message-ID: Subject: Re: Cygwin ssh and Windows authentication To: cygwin@cygwin.com References: <1301881165.20150720013859@yandex.ru> <1399485278.20150721032532@yandex.ru> <981419184.20150721233655@yandex.ru> <341710545.20150723004627@yandex.ru> From: Jarek Date: Sun, 02 Aug 2015 12:47:00 -0000 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: <341710545.20150723004627@yandex.ru> Content-Type: text/plain; charset="windows-1252"; format=flowed Content-Transfer-Encoding: 7bit X-SW-Source: 2015-08/txt/msg00020.txt.bz2 On 2015-07-22 23:46, Andrey Repin wrote: > Greetings, Jarek! > >>>>>> So why are they not needed as your comment doesn't really explain that >>>>> Read 1.7.35 changelog. >>>>> In short, username resolution was completely reworked, thanks to Corinna, and >>>>> Cygwin now directly address domain controllers for it. >>>> OK so it addresses DCs to check some settings or priviliges. I don't >>>> suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?' >>> Indirectly, that can be done, i.e., by including a user in "SSH" group and >>> allow only "DOMAIN+SSH" group to authorize on server. >> I assume the group name is arbitrary and can be named anything. > Of course. I have a generic "RemoteUsers" group for all users that allowed > remote access (VPN, SSH, etc.) > >> I went thrugh local rights on my sshserver and I see the Everyone, and >> Users local groups have Allow to access this computer via network. >> I take it the 'Act as part of the OS','Create a token object' and >> 'Replace a process level token' rights are only for the account running >> the sshd service. > Yes, these are only used by service itself, and not propagated to the users > connected. > >>> Verbose logging from both client and server may give some insight, too. >> Here is what I get from the logs on the client when attempting to >> connect with WinSCP > Try using only username to login. Without domain prefix. > And disable other auth mechanics, while you are testing namely I see it trying > GSSAPI, which wouldn't work unless explicitly configured and allowed. > > Please attach long listings as files or provide links to pastebin service of > your choice. > > Hi Andrey, Just for an update I deployed ssh access using the passwd file. I found it works fine as long as the user connecting is a member of local admins. Otherwise users are not able to connect. Looks like this may be a bug after all. Best, Jarek -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple