This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Antwort: Re: Cygwin/OpenSSH authentication without applying group policies...
Hello,
> On Oct 21 08:39, Carsten.Porzler@spb.de wrote:
> > Dear Cygwin community,
> >
> > we are just having problems with some locations connect over WAN lines
> > with only little bandwith.
> >
> > The logon process against a Win2003 AD domain controller takes much
time
> > (>50s). After some analysis we found out that there is much traffic
> > between the SSH server and the domain controller over ip port 1026
(CAP,
> > used for applying/downloading the Win2003 group policies).
> >
> > During a SSH logon it is not necessary to apply all group policies.
> > Instead it would be OK, if the user would just be authenticated and
get
> > his group memberships.
>
> That's not correct, unfortunately. To construct a user token you must
> know what user rights the user has since they are part of the token.
> Cygwin itself does not ask for group policies and that stuff, it really
> only requests information about the user rights of the user logging in.
> Cygwin has no control about the information flow underneath the Win32
> functions used to request this information. A couple of months ago we
> already had a discussion on this list about the login process being
> slow. The reason was an unnecessary loop asking for group membership,
> but that should be fixed for a long time.
>
That correct in principle, what you say. The problem with the loops was
solved some months ago.
> > Is it possible to deactivate applying the group policies during the
SSH
> > logon process or to reconfigure the SSH service so that we can use
LDAP
> > authentication instead of standard Win2003 authentication.
>
>
> First of all, we can't support LDAP directly from ssh since that doesn't
> allow us to create a user token. What exactly is done depends on the
> method used for creating the token. You didn't tell us if you're using
> password authentication or pubkey authentication. With password
> authentication it's entirely up to the Win32 call LogonUser() to create
> that token and to manage that connection. Using pubkey authentication
> you have three choices described in the user's guide. Maybe one of them
> helps, see
> http://cygwin.com/1.7/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
>
>
My decripted problem occurs with password and public key (without saved
password) authentication.
I just asked the question because we see during network tracing that the
group policies are transferred to the client.
Other logon processes (e.g. mounting a network drive with another user
than the logged on one) do not transfer the group policies. Is the call
LogonUser() really the right one, we use for the login procedure?
Thanks in advance and
best regards
Carsten Porzler
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple