This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Why you can't load ws2_32.dll (was Re: Can't use key authentication on x64 Server 2003 R2)


On 01/08/2010 06:59 AM, Corinna Vinschen wrote:
I can't reproduce this one, but I can reproduce the other problem
with pubkey authentication reported  in this thread:
...

I appreciate the time you took to explain this problem. I've been working on it for a while, and still can't get it right.

If you're running in a domain, then the account running the sshd service
must be a member of the domain as well.  Instead of creating a local
cyg_server account, you must create a domain account called cyg_server
with the specific rights required to create a user token, add it to the
/etc/passwd file of the machine on which you want to install sshd, and
*then* run ssh-host-config on that machine.

I've created a "cyg_server" account on my domain controller and added it to the password file using:


mkpasswd -d -u cyg_server >> /etc/passwd

First I tried granting the required permissions manually in the domain policy. When that didn't work, I used "editrights" as in cygwin-service-installation-helper.sh to set the rights in the local policy. As far as I can tell, I get identical results.

Rights during my most recent test were:

$ editrights.exe -l -u cyg_server
SeAssignPrimaryTokenPrivilege
SeCreateTokenPrivilege
SeTcbPrivilege
SeServiceLogonRight
SeDenyRemoteInteractiveLogonRight

If you did that, the ssh-host-config script will note that such an
account exists in /etc/passwd and will offer to use that account for the
sshd service.

Hopefully I did something as simple as adding the account to the password file incorrectly. When I run ssh-host-config, I get the following warning:


*** Warning: cyg_server is in /etc/passwd, but the local
*** Warning: machine's SAM does not know about cyg_server.
*** Warning: Perhaps cyg_server is a pre-existing domain account.
*** Warning: Continuing, but check if this is ok.

Regardless, I can use the account and sshd will run. When I log in with a password, I get a shell, but I see this warning:

1 [main] sshd 2724 spawn_guts: CreateWindowStation failed, Win32 error 5

If I log in with a key, the server just drops the connection. The (Linux) client reports:
Connection closed by 192.168.99.6


The server's event log indicates:

The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd: PID 6632: fatal: seteuid 11287: Permission denied.

The event viewer indicates that the user is DOMAIN\cyg_server, which is the same username that appears in the Local Security Settings admin tool.

Does anyone have any specific advice for using a domain member account (DOMAIN\cyg_server) to run sshd? Without that, it seems I can't run Cygwin 1.7's sshd with key authentication.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]