This is the mail archive of the
mailing list for the Cygwin project.
RE: cron problem with authentication
- From: Igor Pechtchanski <pechtcha at cs dot nyu dot edu>
- To: Mike Kenny - BCX - Mngd Services <Mike dot Kenny at bcx dot co dot za>
- Cc: cygwin at cygwin dot com
- Date: Thu, 27 May 2004 10:24:37 -0400 (EDT)
- Subject: RE: cron problem with authentication
- References: <A2AE62FF85AEAC4BA3DE695E3C237D110AD47F@exmid04.africa.enterprise.root>
- Reply-to: cygwin at cygwin dot com
On Thu, 27 May 2004, Mike Kenny - BCX - Mngd Services wrote:
> > From: Larry Hall [mailto:cygwin-lh@XXXXXX.XXX]
> > At 03:52 AM 5/26/2004, you wrote:
> > >I previously posted a problem where a job failed attaching to an MQ
> > >Q Manager when run from cron. The explanation that was provided
> > >was that because MQ authenticates the user using the NT services
> > >and cron had had to su to that user, bypassing these services, that
> > >the user running the job did not then have the correct credentials.
> > >
> > >This sounds plausible and certainly explains the behaviour I see, but
> > >what would be involved in cron checking to see under which user the
> > >cygwin session is running and if this is the same user as the cygwin
> > >cron service is running under. If they are the same then do not do
> > >the change of user? Would this enable the cron job to run with the
> > >correct credentials? Or am I totally misunderstanding the problem?
> > >I admit that I know little or nothing about either Windows security
> > >or how cygwin interacts with it.
> > >
> > >Thanks for any comments on this
> > In the default installation, the user doing the "su" (as you refer to
> > it) is the SYSTEM user. The SYSTEM user has no access to remote SMB
> > shares. So your idea doesn't work because it assumes something that
> > isn't true.
> > One possible alternative is to run cron as the user you want to run
> > jobs as. I don't recall, off-the-top-of-my-head, whether cron assumes
> > that it will run as SYSTEM and, if so, this approach probably wouldn't
> > work without changing the code. Another alternative might be to use a
> > service which allows accessing remote directories without requiring
> > Windows authentication (i.e. not SMB).
> Larry, first, thanks for taking the time to respond. Possibly I do not
> understand your comments, but I am confused by the reference to shares.
> I have a situation where, on the windows side, cron is running as user
> 'mqdisp'. This user is a member of the mqm group (required for MQ Series)
> and is an Administrator with permissions to log in as a service and to act
> as part of the Operating System. On the cywin side, mqdisp is the user that
> is trying to run the cron job that attaches to MQ Series. My event log is
> showing me the following:
>  MQSeries
> Type: WARNING
> Computer: TEST1
> Time: 2004/05/27 10:50:14 ID: 8074
> Authorization failed as the SID 'S-1-5-21-776561741-1935655697-1343024091-1007' does not match the entity 'system'.
> The Object Authority Manager received inconsistent data - the supplied SID does not match that of the supplied entity information.
> Ensure that the application is supplying valid entity and SID information.
> While /etc/passwd has the following:
> The PS shows that cron is running as SYSTEM, and it seems that it is trying
> to use mqdisp's credentials to authenticate system.
> I hope the above better explains my problem.
Did you look at <http://cygwin.com/cygwin-ug-net/ntsec.html#NTSEC-SETUID>?
> BTW, is there some way that I can login as 'system'? This might provide a
> way around this problem.
There is, but I doubt it'd be helpful. That said, Google for
"system-owned shell cygwin".
> Thanks for any input to this
Just try what's already been suggested -- run the cron daemon as mqdisp
(if that's the only thing you're using cron for) by using the --user and
--passwd options to cygrunsrv.
|\ _,,,---,,_ firstname.lastname@example.org
ZZZzz /,`.-'`' -. ;-;;,_ email@example.com
|,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D.
'---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster." -- Patrick Naughton
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html