This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

sshd in a domain


I need some help to get sshd working so that when I login using
public-key auth to my domain account (which has local administrator
privileges), it actually has the Adminisitrator privs.

The platform is Windows XP Pro, joined to a domain.

C. Vinschen already kindly pointed me to the FAQ, here:
http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain

but I think I'm missing something about the setup, or done it wrong.

I created a domain account, we'll call it "cyg_server" for convenience.

I have a GPO that defines the "cyg_server" User Right Assignments so
that it can "Act as part of the operating system", "Act as part of the
operating system", and "Replace a process level token".  I also placed
cyg_server in the local Administrators group.

I've confirmed the GPO is applied successfully.  The cyg_server account
appears in the correct areas when I look at "gpedit.msc".

Where I think I'm failing is the setup for ssh-host-config.  I tried:

	ssh-host-config -u cyg_server -p 'password' --privileged

First, I'm warned that I don't need a privileged account because I'm not
running W2k3, Vista, etc.  (The FAQ specifically says to use a different
account, so this seems contradictory, yes?)

Also, I get:
*** Warning: Privileged account 'cyg_server' was specified,
*** Warning: but it does not have the necessary privileges.
*** Warning: Continuing, but will probably use a different account.
*** Warning: The specified account 'cyg_server' does not have the
*** Warning: required permissions or group memberships. This may
*** Warning: cause problems if not corrected; continuing...

It installed the service, but the service did not start, due to a login
failure.

I can login to the account using
	runas /user:domain\cyg_server cmd
just fine.  I'm sure the password I specified was correct.

I opened the Service configuration GUI, and just in case, I pasted the
password into the proper spot.  The GUI responded with (paraphrase)
	"cyg_server" has been granted the "Logon as a service" right.

The service then started successfully.  So, did I miss something, or
does that mean the FAQ should include "Logon as a service" in the needed
user rights?

In any case, although the service now starts successfully (running under
the cyg_server account), when I login via SSH (either password OR public
key), I do NOT have Administrator privileges; i.e. according to the 'id'
commmand, I'm not in group "544(Administrators)".  I'm not even in the
regular "Users" group!

Obviously I've done something wrong...  Help, please!

-- 
Robert Jacobson
#include std_disclaimer.h

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]