Re: Seteuid "operation not permitted" error when using LSA for sshd

[Mark Pattie <markpattie@gmail.com>]

I have now removed Cygwin completely from the server and reinstalled.
I am using the default service account that Cygwin creates for sshd
(cyg_server), removed the "create a token object" permission for this
account and configured the LSA package but have the same problem. Any
advice on troubleshooting this issue further or any insight would be
great.

Thanks,
Mark

On Mon, May 28, 2012 at 10:10 AM, Mark Pattie <markpattie@gmail.com> wrote:
> Thanks for responding so quickly.
>
> In the security log I can see it has been assigned the privilege
> SeTcbPrivilege. Security log entry:
>
> Special privileges assigned to new logon.
>
> Subject:
>        Security ID:            BUILDSERVER\cygwin_sshd
>        Account Name:           cygwin_sshd
>        Account Domain:         BUILDSERVER
>        Logon ID:               0x12c1c4
>
> Privileges:             SeAssignPrimaryTokenPrivilege
>                        SeTcbPrivilege
>                        SeSecurityPrivilege
>                        SeTakeOwnershipPrivilege
>                        SeLoadDriverPrivilege
>                        SeBackupPrivilege
>                        SeRestorePrivilege
>                        SeDebugPrivilege
>                        SeSystemEnvironmentPrivilege
>                        SeImpersonatePrivilege
>
> In User Rights Assignment it has the following privileges:
>
> Act as part of the operating system
> Adjust memory quotas for a process
> Logon as a service
> Replace a process level token
>
> Thanks,
> Mark
>
>
>>Does the account have TCB rights?  That's required to run LSA auth.
>>Same for method 3, btw.
>>
>>
>>Corinna
>>
>>--
>>Corinna Vinschen                  Please, send mails regarding Cygwin to
>>Cygwin Project Co-Leader          cygwin AT cygwin DOT com
>>Red Hat
>>
>>On Fri, May 25, 2012 at 10:15 AM, Mark Pattie <markpattie@gmail.com> wrote:
>> Hi all,
>>
>> I have installed Cygwin and am running sshd successfully. The
>> permission required for the sshd service account "create a token
>> object" is not permitted to be granted to any accounts in my
>> organization. As such I have decided to use LSA based on Method 2 on
>> the following page: http://cygwin.com/cygwin-ug-net/ntsec.html.
>>
>> I had succesfully tested ssh authentication with a public/private
>> certificate pair prior to running /usr/bin/cyglsa-config to install
>> LSA. I ran the script, removed the "create a token object" permission
>> and rebooted the server. Now I cannot authenticate using the
>> public/private keys. I receive the following error in the Windows
>> event log:
>>
>> sshd: PID 2780: fatal: seteuid 1003: Operation not permitted
>>
>> When I add the permission back to the service account and restart sshd
>> the public/private key authentication works again
>>
>> Any help would be great
>>
>> Thanks,
>> Mark

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple