This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Why you can't load ws2_32.dll (was Re: Can't use key authentication on x64 Server 2003 R2)


2010/1/25 Corinna Vinschen:
> On Jan 24 16:43, Gordon Messmer wrote:
>> On 01/08/2010 06:59 AM, Corinna Vinschen wrote:
>> >I can't reproduce this one, but I can reproduce the other problem
>> >with pubkey authentication reported ?in this thread:
>> ...
>>
>> I appreciate the time you took to explain this problem. ?I've been
>> working on it for a while, and still can't get it right.
>>
>> >If you're running in a domain, then the account running the sshd service
>> >must be a member of the domain as well. ?Instead of creating a local
>> >cyg_server account, you must create a domain account called cyg_server
>> >with the specific rights required to create a user token, add it to the
>> >/etc/passwd file of the machine on which you want to install sshd, and
>> >*then* run ssh-host-config on that machine.
>>
>> I've created a "cyg_server" account on my domain controller and
>> added it to the password file using:
>>
>> mkpasswd -d -u cyg_server >> /etc/passwd
>>
>> First I tried granting the required permissions manually in the
>> domain policy. ?When that didn't work, I used "editrights" as in
>> cygwin-service-installation-helper.sh to set the rights in the local
>> policy. ?As far as I can tell, I get identical results.
>>
>> Rights during my most recent test were:
>>
>> $ editrights.exe -l -u cyg_server
>> SeAssignPrimaryTokenPrivilege
>> SeCreateTokenPrivilege
>> SeTcbPrivilege
>> SeServiceLogonRight
>> SeDenyRemoteInteractiveLogonRight
>
> The cyg_server user is hopefully in the Administrators group...
>
> Here's what I did. ?I created cyg_server as admin account in the domain,
> then I created a global policy which adds the cyg_server user to the
> following user rights:
>
> ?Act as part of the operating system (SeTcbPrivilege)
> ?Create a token object ? ? ? ? ? ? ? (SeCreateTokenPrivilege)
> ?Replace a process level token ? ? ? (SeAssignPrimaryTokenPrivilege)
>
> At last I made sure the global policy gets propagated to all domain
> machines. ?That's all. ?From this time on I could use the domain
> cyg_sever user on all my domain member machines, assuming I added it to
> /etc/passwd before starting ssh-host-config.

Can we add this to the FAQ please.

How to setup sshd for mixed local/domain accounts?
...
-- 
Reini Urban
http://phpwiki.org/           http://murbreak.at/

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]