RE: cron problem with authentication

RE: cron problem with authentication

[Mike Kenny - BCX - Mngd Services]

> From: Larry Hall [mailto:cygwin-lh@cygwin.com]
> 
> At 03:52 AM 5/26/2004, you wrote:
> >I previously posted a problem where a job failed attaching to an MQ
> >Q Manager when run from cron. The explanation that was provided 
> >was that because MQ authenticates the user using the NT services 
> >and cron had had to su to that user, bypassing these services, that
> >the user running the job did not then have the correct credentials.
> >
> >This sounds plausible and certainly explains the behaviour I see, but
> >what would be involved in cron checking to see under which user the
> >cygwin session is running and if this is the same user as the cygwin
> >cron service is running under. If they are the same then do not do
> >the change of user? Would this enable the cron job to run with the
> >correct credentials? Or am I totally misunderstanding the problem?
> >I admit that I know little or nothing about either Windows security
> >or how cygwin interacts with it.
> >
> >Thanks for any comments on this
> 
> 
> In the default installation, the user doing the "su" (as you 
> refer to it)
> is the SYSTEM user.  The SYSTEM user has no access to remote 
> SMB shares.
> So your idea doesn't work because it assumes something that 
> isn't true.
> 
> One possible alternative is to run cron as the user you want 
> to run jobs 
> as.  I don't recall, off-the-top-of-my-head, whether cron assumes that
> it will run as SYSTEM and, if so, this approach probably wouldn't work
> without changing the code.  Another alternative might be to 
> use a service
> which allows accessing remote directories without requiring Windows 
> authentication (i.e. not SMB).
> 
Larry, first, thanks for taking the time to respond. Possibly I do not
understand your comments, but I am confused by the reference to shares.
I have a situation where, on the windows side, cron is running as user
'mqdisp'. This user is a member of the mqm group (required for MQ Series)
and is an Administrator with permissions to log in as a service and to act
as part of the Operating System. On the cywin side, mqdisp is the user that
is trying to run the cron job that attaches to MQ Series. My event log is
showing me the following:

 [754] MQSeries
   Type:     WARNING
   Computer: TEST1
   Time:     2004/05/27 10:50:14   ID:       8074
Authorization failed as the SID 'S-1-5-21-776561741-1935655697-1343024091-1007'
does not match the entity 'system'.
  The Object Authority Manager received inconsistent data - the supplied SID doe
s not match that of the supplied entity information.
  Ensure that the application is supplying valid entity and SID information.

While /etc/passwd has the following:

SYSTEM:*:18:544:,S-1-5-18::
mqdisp:unused_by_nt/2000/xp:1007:513:mqdisp,U-TEST1\mqdisp,S-1-5-21-776561741-19
35655697-1343024091-1007:/home/mqdisp:/bin/bash

The PS shows that cron is running as SYSTEM, and it seems that it is trying
to use mqdisp's credentials to authenticate system. 

I hope the above better explains my problem.

BTW, is there some way that I can login as 'system'? This might provide a
way around this problem.

Thanks for any input to this

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: cron problem with authentication

[Dave Korn]

> -----Original Message-----
> From: cygwin-owner On Behalf Of Mike Kenny - BCX - Mngd Services
> Sent: 27 May 2004 10:07

> I have a situation where, on the windows side, cron is running as user
> 'mqdisp'.

> The PS shows that cron is running as SYSTEM, 

> I hope the above better explains my problem.

  Not exactly!

> On the cywin side, mqdisp is the user that
> is trying to run the cron job that attaches to MQ Series.

  AYS?  I take it you say this because you were logged in as that user when
you ran crontab?

> BTW, is there some way that I can login as 'system'? This 
> might provide a way around this problem.

  Also not exactly!

  Heh.  Let me be clearer.  It seems to me that you want cron to run as user
mqdisp rather than user SYSTEM.  SYSTEM is a local account; it has utmost
(rooter-than-root) priviliges on your local machine but it's not a member of
the domain and has no access rights there.

>  [754] MQSeries
>    Type:     WARNING
>    Computer: TEST1
>    Time:     2004/05/27 10:50:14   ID:       8074
> Authorization failed as the SID 
> 'S-1-5-21-776561741-1935655697-1343024091-1007'
> does not match the entity 'system'.
>   The Object Authority Manager received inconsistent data - 
> the supplied SID doe
> s not match that of the supplied entity information.
>   Ensure that the application is supplying valid entity and 
> SID information.

  Yep, that's mqdisp's sid, not SYSTEM's.

> SYSTEM:*:18:544:,S-1-5-18::
> mqdisp:unused_by_nt/2000/xp:1007:513:mqdisp,U-TEST1\mqdisp,S-1
-5-21-776561741-19
> 35655697-1343024091-1007:/home/mqdisp:/bin/bash

  I think the real question is, did you use the --user and --passwd options
to cygrunsrv when you installed crond?  This tells cygrunsrv to use the
windoze 'RunAs' service to start crond as the user you choose.


    cheers, 
      DaveK
-- 
Can't think of a witty .sigline today....


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: cron problem with authentication

[Igor Pechtchanski]

On Thu, 27 May 2004, Mike Kenny - BCX - Mngd Services wrote:

> > From: Larry Hall [mailto:cygwin-lh@XXXXXX.XXX]

<http://cygwin.com/acronyms/#PCYMTNQREAIYR>.

> > At 03:52 AM 5/26/2004, you wrote:
> > >I previously posted a problem where a job failed attaching to an MQ
> > >Q Manager when run from cron. The explanation that was provided
> > >was that because MQ authenticates the user using the NT services
> > >and cron had had to su to that user, bypassing these services, that
> > >the user running the job did not then have the correct credentials.
> > >
> > >This sounds plausible and certainly explains the behaviour I see, but
> > >what would be involved in cron checking to see under which user the
> > >cygwin session is running and if this is the same user as the cygwin
> > >cron service is running under. If they are the same then do not do
> > >the change of user? Would this enable the cron job to run with the
> > >correct credentials? Or am I totally misunderstanding the problem?
> > >I admit that I know little or nothing about either Windows security
> > >or how cygwin interacts with it.
> > >
> > >Thanks for any comments on this
> >
> >
> > In the default installation, the user doing the "su" (as you refer to
> > it) is the SYSTEM user.  The SYSTEM user has no access to remote SMB
> > shares. So your idea doesn't work because it assumes something that
> > isn't true.
> >
> > One possible alternative is to run cron as the user you want to run
> > jobs as.  I don't recall, off-the-top-of-my-head, whether cron assumes
> > that it will run as SYSTEM and, if so, this approach probably wouldn't
> > work without changing the code.  Another alternative might be to use a
> > service which allows accessing remote directories without requiring
> > Windows authentication (i.e. not SMB).
>
> Larry, first, thanks for taking the time to respond. Possibly I do not
> understand your comments, but I am confused by the reference to shares.
> I have a situation where, on the windows side, cron is running as user
> 'mqdisp'. This user is a member of the mqm group (required for MQ Series)
> and is an Administrator with permissions to log in as a service and to act
> as part of the Operating System. On the cywin side, mqdisp is the user that
> is trying to run the cron job that attaches to MQ Series. My event log is
> showing me the following:
>
>  [754] MQSeries
>    Type:     WARNING
>    Computer: TEST1
>    Time:     2004/05/27 10:50:14   ID:       8074
> Authorization failed as the SID 'S-1-5-21-776561741-1935655697-1343024091-1007' does not match the entity 'system'.
>   The Object Authority Manager received inconsistent data - the supplied SID does not match that of the supplied entity information.
>   Ensure that the application is supplying valid entity and SID information.
>
> While /etc/passwd has the following:
>
> SYSTEM:*:18:544:,S-1-5-18::
> mqdisp:unused_by_nt/2000/xp:1007:513:mqdisp,U-TEST1\mqdisp,S-1-5-21-776561741-1935655697-1343024091-1007:/home/mqdisp:/bin/bash
>
> The PS shows that cron is running as SYSTEM, and it seems that it is trying
> to use mqdisp's credentials to authenticate system.
>
> I hope the above better explains my problem.

Did you look at <http://cygwin.com/cygwin-ug-net/ntsec.html#NTSEC-SETUID>?

> BTW, is there some way that I can login as 'system'? This might provide a
> way around this problem.

There is, but I doubt it'd be helpful.  That said, Google for
"system-owned shell cygwin".

> Thanks for any input to this

Just try what's already been suggested -- run the cron daemon as mqdisp
(if that's the only thing you're using cron for) by using the --user and
--passwd options to cygrunsrv.
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha@cs.nyu.edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor@watson.ibm.com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: cron problem with authentication

[Larry Hall]

At 03:52 AM 5/26/2004, you wrote:
>I previously posted a problem where a job failed attaching to an MQ
>Q Manager when run from cron. The explanation that was provided 
>was that because MQ authenticates the user using the NT services 
>and cron had had to su to that user, bypassing these services, that
>the user running the job did not then have the correct credentials.
>
>This sounds plausible and certainly explains the behaviour I see, but
>what would be involved in cron checking to see under which user the
>cygwin session is running and if this is the same user as the cygwin
>cron service is running under. If they are the same then do not do
>the change of user? Would this enable the cron job to run with the
>correct credentials? Or am I totally misunderstanding the problem?
>I admit that I know little or nothing about either Windows security
>or how cygwin interacts with it.
>
>Thanks for any comments on this


In the default installation, the user doing the "su" (as you refer to it)
is the SYSTEM user.  The SYSTEM user has no access to remote SMB shares.
So your idea doesn't work because it assumes something that isn't true.

One possible alternative is to run cron as the user you want to run jobs 
as.  I don't recall, off-the-top-of-my-head, whether cron assumes that
it will run as SYSTEM and, if so, this approach probably wouldn't work
without changing the code.  Another alternative might be to use a service
which allows accessing remote directories without requiring Windows 
authentication (i.e. not SMB).


--
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
838 Washington Street                   (508) 893-9889 - FAX
Holliston, MA 01746                     


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

cron problem with authentication

[Mike Kenny - BCX - Mngd Services]

I previously posted a problem where a job failed attaching to an MQ
Q Manager when run from cron. The explanation that was provided 
was that because MQ authenticates the user using the NT services 
and cron had had to su to that user, bypassing these services, that
the user running the job did not then have the correct credentials.

This sounds plausible and certainly explains the behaviour I see, but
what would be involved in cron checking to see under which user the
cygwin session is running and if this is the same user as the cygwin
cron service is running under. If they are the same then do not do
the change of user? Would this enable the cron job to run with the
correct credentials? Or am I totally misunderstanding the problem?
I admit that I know little or nothing about either Windows security
or how cygwin interacts with it.

Thanks for any comments on this

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/