This is the mail archive of the cygwin mailing list for the Cygwin project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
Last week I loaded cygwin 1.5.19 on a new Windows 2003 Server (Standard Edition; service pack 1). When I ssh'd to this host, I had insuffient rights to "cd" to a network share. I was able to fix this, using Pierre A. Humblet's approach, by running the 'id -G' command at the console, and then adding my username to the "userlist" [4th field] in /etc/group for each group listed by 'id -G'. see: http://cygwin.com/ml/cygwin/2005-07/msg01287.html After the fix: in ssh, you could cd to the network share, and write to directories as expected. This fix worked fine, until..: -- The Problem -- On Monday several compilers were loaded on this host (OurSrvr064); because of this, 4 new local groups were created. So, I updated /etc/group, by running 'mkgroup -ld', and subsequently re-doing Pierre's approach- adding the username ("staffuser2", a domain user) into the "userlist" [4th field] in /etc/group for each group listed by 'id -G'. Unfortunately this failed. Also, the ssh session showed one *additional* local group (gid 1008) for user staffuser2; additional w/r to the (non ssh session) Terminal Services bash session 'id -G' output. Also notable, was that whoami shown: "OurSrvr064\sshd_server", instead of "staffuser2". Please help me fix this again. overview of problem, and attempt to fix: { $ cygcheck -s |egrep '^Runni' Running in Terminal Service session $ uname -a CYGWIN_NT-5.2 OurSrvr064 1.5.19(0.150/4/2) 2006-01-20 13:28 i686 Cygwin $ mkgroup -ld > /etc/group ;( mkpasswd -l; mkpasswd -d -u $(id -un) ) >/etc/passwd $ grep $(id -un) /etc/passwd staffuser2:unused_by_nt/2000/xp:15776:10513:staffuser2 tcm,U-DOMxx1\staffuser2,S-1-5-21-1390067357-1202660629-682003330-5776:/home/staffuser2:/bin/bash $ --snip (exited and restarted bash in same Terminal Service session) $ : we will be using Pierre's group listing program, that I named "_mygroups" $ : to see the code, search ahead for "_mygroups.c" $ : next I cat a script that will (eventually) show the problem $ : ("OurServer108" below is a remote host) $ cat /cygdrive/c/adm/ssh_test_my_rights00 #!/bin/bash -x cd //OurServer108/tcm id -G id : whoami /cygdrive/c/adm/_mygroups |grep 'use: 2' : /cygdrive/c/adm/_mygroups $ : next, will run test script, it works just fine in a Terminal Service session: $ /cygdrive/c/adm/ssh_test_my_rights00 + cd //OurServer108/tcm + id -G 10513 544 545 1010 19858 19968 16025 16027 16024 + id uid=15776(staffuser2) gid=10513(Domain Users) groups=544(Administrators),545(Users),1010(Debugger Users),19858(ABC_NA-CTX-Notepad-A),19968(ABC_NA-DOMxx0-tcm-Users-A),10513(Domain Users),16025(XYZ_BLD_MGR),16027(XYZ_ES_STAFF),16024(XYZ_Users) + : + whoami staffuser2 + /cygdrive/c/adm/_mygroups + grep 'use: 2' 0: Domain Users, DOMxx1, use: 2 attribs: 7 11: XYZ_ES_STAFF, DOMxx1, use: 2 attribs: 7 12: XYZ_BLD_MGR, DOMxx1, use: 2 attribs: 7 13: ABC_NA-CTX-Notepad-A, DOMxx1, use: 2 attribs: 7 14: ABC_NA-DOMxx0-tcm-Users-A, DOMxx1, use: 2 attribs: 7 15: XYZ_Users, DOMxx1, use: 2 attribs: 7 + : + /cygdrive/c/adm/_mygroups 0: Domain Users, DOMxx1, use: 2 attribs: 7 1: Everyone, , use: 5 attribs: 7 2: Debugger Users, OurSrvr064, use: 4 attribs: 7 3: Administrators, BUILTIN, use: 4 attribs: f 4: Users, BUILTIN, use: 4 attribs: 7 5: REMOTE INTERACTIVE LOGON, NT AUTHORITY, use: 5 attribs: 7 6: INTERACTIVE, NT AUTHORITY, use: 5 attribs: 7 7: Authenticated Users, NT AUTHORITY, use: 5 attribs: 7 8: This Organization, NT AUTHORITY, use: 5 attribs: 7 9: 5 0 4217733 attribs: c0000007 10: LOCAL, , use: 5 attribs: 7 11: XYZ_ES_STAFF, DOMxx1, use: 2 attribs: 7 12: XYZ_BLD_MGR, DOMxx1, use: 2 attribs: 7 13: ABC_NA-CTX-Notepad-A, DOMxx1, use: 2 attribs: 7 14: ABC_NA-DOMxx0-tcm-Users-A, DOMxx1, use: 2 attribs: 7 15: XYZ_Users, DOMxx1, use: 2 attribs: 7 16: ABC_NA-DL-CTX-Notepad Users-A, DOMxx1, use: 4 attribs: 20000007 17: CERTSVC_DCOM_ACCESS, DOMxx1, use: 4 attribs: 20000007 18: RILOE_SCM, DOMxx1, use: 4 attribs: 20000007 $ $ : so far so good, now try test in ssh, notice the 'cd' fails, notice 'whoami' and 'id -G' output $ ssh localhost /cygdrive/c/adm/ssh_test_my_rights00 staffuser2@localhost's password: + cd //OurServer108/tcm /cygdrive/c/adm/ssh_test_my_rights00: line 3: cd: //OurServer108/tcm: Permission denied + id -G 10513 544 545 1010 1008 + id uid=15776(staffuser2) gid=10513(Domain Users) groups=544(Administrators),545(Users),1010(Debugger Users),1008(OWS_2416084231_admin),10513(Domain Users) + : + whoami OurSrvr064\sshd_server + /cygdrive/c/adm/_mygroups + grep 'use: 2' 5: Domain Users, DOMxx1, use: 2 attribs: 7 + : + /cygdrive/c/adm/_mygroups 0: Everyone, , use: 5 attribs: 7 1: Authenticated Users, NT AUTHORITY, use: 5 attribs: 7 2: LOCAL, , use: 5 attribs: 7 3: SERVICE, NT AUTHORITY, use: 5 attribs: 7 4: 5 0 9916154 attribs: c0000007 5: Domain Users, DOMxx1, use: 2 attribs: 7 6: Administrators, BUILTIN, use: 4 attribs: 7 7: Users, BUILTIN, use: 4 attribs: 7 8: Debugger Users, OurSrvr064, use: 4 attribs: 7 9: OWS_2416084231_admin, OurSrvr064, use: 4 attribs: 7 $ --snip $ : (edited /etc/group to add "staffuser2" to userlists [4th field] for groups that staffuser2 is in ) $ grep staffuser2 group Administrators:S-1-5-32-544:544:staffuser2 Users:S-1-5-32-545:545:staffuser2 Debugger Users:S-1-5-21-1766903932-4289487963-3289224668-1010:1010:staffuser2 ABC_NA-CTX-Notepad-A:S-1-5-21-1390067357-1202660629-682003330-9858:19858:staffuser2 ABC_NA-DOMxx0-tcm-Users-A:S-1-5-21-1390067357-1202660629-682003330-9968:19968:staffuser2 Domain Users:S-1-5-21-1390067357-1202660629-682003330-513:10513:staffuser2 XYZ_BLD_MGR:S-1-5-21-1390067357-1202660629-682003330-6025:16025:staffuser2 XYZ_ES_STAFF:S-1-5-21-1390067357-1202660629-682003330-6027:16027:staffuser2 XYZ_Users:S-1-5-21-1390067357-1202660629-682003330-6024:16024:staffuser2 $ : Notice that next test fails again even though groups for staffuser2 more than match, $ : the groups staffuser2 is in within a Term Service session (1008 is the extra local group). $ ssh localhost /cygdrive/c/adm/ssh_test_my_rights00 staffuser2@localhost's password: + cd //OurServer108/tcm /cygdrive/c/adm/ssh_test_my_rights00: line 3: cd: //OurServer108/tcm: Permission denied + id -G 10513 544 545 1010 1008 19858 19968 16025 16027 16024 + id uid=15776(staffuser2) gid=10513(Domain Users) groups=544(Administrators),545(Users),1010(Debugger Users),1008(OWS_2416084231_admin),19858(ABC_NA-CTX-Notepad-A),19968(ABC_NA-DOMxx0-tcm-Users-A),10513(Domain Users),16025(XYZ_BLD_MGR),16027(XYZ_ES_STAFF),16024(XYZ_Users) + : + whoami OurSrvr064\sshd_server + /cygdrive/c/adm/_mygroups + grep 'use: 2' 8: ABC_NA-CTX-Notepad-A, DOMxx1, use: 2 attribs: 7 9: ABC_NA-DOMxx0-tcm-Users-A, DOMxx1, use: 2 attribs: 7 10: Domain Users, DOMxx1, use: 2 attribs: 7 11: XYZ_BLD_MGR, DOMxx1, use: 2 attribs: 7 12: XYZ_ES_STAFF, DOMxx1, use: 2 attribs: 7 13: XYZ_Users, DOMxx1, use: 2 attribs: 7 + : + /cygdrive/c/adm/_mygroups 0: Everyone, , use: 5 attribs: 7 1: Authenticated Users, NT AUTHORITY, use: 5 attribs: 7 2: LOCAL, , use: 5 attribs: 7 3: SERVICE, NT AUTHORITY, use: 5 attribs: 7 4: 5 0 9916154 attribs: c0000007 5: Administrators, BUILTIN, use: 4 attribs: 7 6: Users, BUILTIN, use: 4 attribs: 7 7: Debugger Users, OurSrvr064, use: 4 attribs: 7 8: ABC_NA-CTX-Notepad-A, DOMxx1, use: 2 attribs: 7 9: ABC_NA-DOMxx0-tcm-Users-A, DOMxx1, use: 2 attribs: 7 10: Domain Users, DOMxx1, use: 2 attribs: 7 11: XYZ_BLD_MGR, DOMxx1, use: 2 attribs: 7 12: XYZ_ES_STAFF, DOMxx1, use: 2 attribs: 7 13: XYZ_Users, DOMxx1, use: 2 attribs: 7 14: OWS_2416084231_admin, OurSrvr064, use: 4 attribs: 7 $ : $ grep :1008: /etc/group OWS_2416084231_admin:S-1-5-21-1766903932-4289487963-3289224668-1008:1008: end overview of problem, and attempt to fix } -- The new local groups, and their members; these groups were added on Monday -- { C:\>net localgroup IIS_WPG Alias name IIS_WPG Comment IIS Worker Process Group Members ------------------------------------------------------------------------------- IWAM_OurSrvr064 NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE NT AUTHORITY\SYSTEM The command completed successfully. C:\>net localgroup OWS_2416084231_admin Alias name OWS_2416084231_admin Comment Microsoft SharePoint role 'admin' for web 'http://OurSrvr064' Members ------------------------------------------------------------------------------- Administrators The command completed successfully. C:\>net localgroup "Debugger Users" Alias name Debugger Users Comment Debugger Users are non administrators who are allowed to use Visual Studio to debug processes, both locally and remotely. Only trusted users should be added to this group Members ------------------------------------------------------------------------------- DOMxx1\staffuser2 IWAM_OurSrvr064 NT AUTHORITY\SYSTEM The command completed successfully. C:\>net localgroup "VS Developers" Alias name VS Developers Comment Visual Studio developers can author web sites on this computer Members ------------------------------------------------------------------------------- The command completed successfully. end The new local groups added today } -- background -- This host is in a large Active Directory Domain, with thousands of users; our /etc/group file has over 2500 lines. Our AD domain and forest has mixture of global, and domain local groups. This host is used as a software 'build engine', ie windows software is compiled there. -- thanks, Tom Rodman --
Attachment:
cygcheck.out
Description: cygcheck -s -v -r
-- Pierre's group listing program { $ ls -l /cygdrive/c/adm/_mygroups.* -rw-r--r-- 1 staffuser2 XYZ_ES_STAFF 1030 Jan 31 06:54 /cygdrive/c/adm/_mygroups.c -rwxrwxr-x 1 staffuser2 XYZ_ES_STAFF 12510 Jan 31 06:53 /cygdrive/c/adm/_mygroups.exe* $ cat /cygdrive/c/adm/_mygroups.c #we'll be using Pierre's group listing program.. #include <windows.h> #include <stdio.h> main() { HANDLE token; char buffer[1000]; DWORD size; PTOKEN_GROUPS ptr = (PTOKEN_GROUPS) buffer; if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token) && GetTokenInformation(token, TokenGroups, buffer, sizeof(buffer), &size)) { int i; for (i = 0; i < ptr->GroupCount; i++) { SID_NAME_USE use; char name[100], domain[100]; DWORD namelen = sizeof(name), domlen = sizeof(domain); printf("%d: ", i); if (LookupAccountSid(NULL, ptr->Groups[i].Sid, name, &namelen, domain, &domlen, & use)) printf("%s, %s, use: %x ", name, domain, use); else { int j; for (j = 0; j < *GetSidSubAuthorityCount(ptr->Groups[i].Sid); j++) printf("%lu ", *GetSidSubAuthority(ptr->Groups[i].Sid, j)); } printf("attribs: %0x\n", ptr->Groups[i].Attributes); } } else printf("Windows error %lu\n", GetLastError()); } end Pierre's group listing program } -- Monday morning everything was fine. Later that day this software was loaded on OurSrvr064 { High-performance Embedded Workshop Updater InstallShield X Standalone staffuser2 J2SE Development Kit 5.0 Update 2 J2SE Runtime Environment 5.0 Update 2 Java 2 Runtime Environment Standard Edition v1.3.1_10 Java 2 Runtime Environment, SE v1.4.1_07 Java 2 Runtime Environment, SE v1.4.2_10 Java 2 SDK Standard Edition v1.3.1_10 Java 2 SDK, SE v1.4.1_07 Java 2 SDK, SE v1.4.2_10 Java Web Start --snip MSXML 4.0 SP2 Parser and SDK Microsoft FrontPage Client - English Microsoft Learning - Software Updates Microsoft Office Professional Edition 2003 Microsoft SOAP Toolkit 3.0 Microsoft SQL Server 2000 Microsoft Visual J# .NET Redistributable Package 1.1 Microsoft Visual Studio .NET Enterprise Architect 2003 - English Microsoft Visual Studio 6.0 Enterprise Edition Microsoft Web Publishing Wizard 1.53 Microsoft Windows CE Platform Manager 4.0 Microsoft eMbedded Visual C++ 4.0 MyODBC Renesas AutoUpdate Utility Visual Studio .NET Enterprise Architect 2003 - English Visual Studio.NET Baseline - English WinZip WinZip Command Line Support Add-On WinZip Self-Extractor Windows CE .NET Utilities for Visual Studio .NET 2003 v1.1 eMbedded Visual C++ 4.0 SP2 eMbedded Visual C++ 4.0 SP4 end loaded on Monday on OurSrvr064 }
-- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |