This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Why you can't load ws2_32.dll (was Re: Can't use key authentication on x64 Server 2003 R2)


On Jan 24 16:43, Gordon Messmer wrote:
> On 01/08/2010 06:59 AM, Corinna Vinschen wrote:
> >I can't reproduce this one, but I can reproduce the other problem
> >with pubkey authentication reported  in this thread:
> ...
> 
> I appreciate the time you took to explain this problem.  I've been
> working on it for a while, and still can't get it right.
> 
> >If you're running in a domain, then the account running the sshd service
> >must be a member of the domain as well.  Instead of creating a local
> >cyg_server account, you must create a domain account called cyg_server
> >with the specific rights required to create a user token, add it to the
> >/etc/passwd file of the machine on which you want to install sshd, and
> >*then* run ssh-host-config on that machine.
> 
> I've created a "cyg_server" account on my domain controller and
> added it to the password file using:
> 
> mkpasswd -d -u cyg_server >> /etc/passwd
> 
> First I tried granting the required permissions manually in the
> domain policy.  When that didn't work, I used "editrights" as in
> cygwin-service-installation-helper.sh to set the rights in the local
> policy.  As far as I can tell, I get identical results.
> 
> Rights during my most recent test were:
> 
> $ editrights.exe -l -u cyg_server
> SeAssignPrimaryTokenPrivilege
> SeCreateTokenPrivilege
> SeTcbPrivilege
> SeServiceLogonRight
> SeDenyRemoteInteractiveLogonRight

The cyg_server user is hopefully in the Administrators group...

Here's what I did.  I created cyg_server as admin account in the domain,
then I created a global policy which adds the cyg_server user to the
following user rights:

  Act as part of the operating system (SeTcbPrivilege)
  Create a token object               (SeCreateTokenPrivilege)
  Replace a process level token       (SeAssignPrimaryTokenPrivilege)

At last I made sure the global policy gets propagated to all domain
machines.  That's all.  From this time on I could use the domain
cyg_sever user on all my domain member machines, assuming I added it to
/etc/passwd before starting ssh-host-config.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]