This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: group"S-1-2-0"(users who login locally)in ssh;windows 2003


On Wed 8/16/06 23:11 +0200 cygwin@cygwin.com wrote:
> On Aug 16 15:49, Tom Rodman wrote:
> > On Wed 8/16/06 14:44 CDT mwoehlke wrote:
> > > Tom Rodman wrote:
> > > > Hosts effected:
> > > > 
> > > >   several boxes running windows 2003 server w/cygwin (1.5.20s(0.155/4/2) 20060403 13:33:45)
> > > > 
> > > > Problem (or feature?): 
> > > > 
> > > >   when you ssh to these boxes, and run:
> > > > 
> > > >     $WINDIR/system32/whoami /all |grep -q S-1-2-0 || echo OOPs # "OOPS" echos :-<
> > > > 
> > > >     "S-1-2-0" == "Users who log on to terminals locally (physically) connected to the system."
> > > > [...]
> > > FWIW, on my 2k3 box, I show up as a member in S-1-2-0 both logged in 
> > > "locally" (via Remote Desktop Sharing, with which I have never had 
> > > anything "not work") and via Cygwin sshd. 
--snip
> Maybe there's a difference between password and pubkey authentication?

we're using password authentication.

> Or it's some security setting?  I could easily imagine there's a switch
> in "local Security Settings" or "Domain Security Settings" which drops
> the LOCAL group from the token.  

In windows, I ran secpol.msc, and browsed through it looking for something
obvious, nothing jumped out at me.

These boxes are in a large corporate domain, and they do change, and
"push down" domain policies from time to time (often without telling us).

> There's a lot of mysterious stuff in 2K3...
> 
> Whatever it is, it must be something related to 2K3.  Cygwin doesn't
> differ the different OSes in terms of authentication.  I also have the
> LOCAL group as part of my user token on 2K3.

thx for checking, and letting me know

> Temporary Workaround:  Add the user to the local group by adding them to
> a manually created entry in /etc/group:
> 
>   local:S-1-2-0:2:user1,user2,...

tried that.. no joy, take a look:
--v-v------------------C-U-T---H-E-R-E-------------------------v-v-- 
  $ $WINDIR/system32/whoami /all #we're in an ssh session before edits made to /etc/group
  
  USER INFORMATION
  ----------------
  
  User Name  SID
  ========== =============================================
  DOMxx1\adm_usr1 S-1-5-21-1390067357-1202660629-682003330-5774
  
  
  GROUP INFORMATION
  -----------------
  
  Group Name                       Type             SID                                            Attributes
  ================================ ================ ============================================== ===============================================================
  Everyone                         Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
  BUILTIN\Users                    Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
  BUILTIN\Administrators           Alias            S-1-5-32-544                                   Mandatory group, Enabled by default, Enabled group, Group owner
  NT AUTHORITY\INTERACTIVE         Well-known group S-1-5-4                                        Mandatory group, Enabled by default, Enabled group
  NT AUTHORITY\Authenticated Users Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
  NT AUTHORITY\This Organization   Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
  DOMxx1\XYZ_ES_ADMIN                  Group            S-1-5-21-1390067357-1202660629-682003330-6026  Mandatory group, Enabled by default, Enabled group
  DOMxx1\XYZ_ES_STAFF                  Group            S-1-5-21-1390067357-1202660629-682003330-6027  Mandatory group, Enabled by default, Enabled group
  DOMxx1\XYZ_BLD_MGR                   Group            S-1-5-21-1390067357-1202660629-682003330-6025  Mandatory group, Enabled by default, Enabled group
  DOMxx1\ABC_NA-CTX-Notepad-A            Group            S-1-5-21-1390067357-1202660629-682003330-9858  Mandatory group, Enabled by default, Enabled group
  DOMxx1\ABC_NA-DOMxx0-tcm-Users-A          Group            S-1-5-21-1390067357-1202660629-682003330-9968  Mandatory group, Enabled by default, Enabled group
  DOMxx1\XYZ_Users                     Group            S-1-5-21-1390067357-1202660629-682003330-6024  Mandatory group, Enabled by default, Enabled group
  DOMxx1\ABC_NA-DL-CTX-Notepad Users-A   Alias            S-1-5-21-1390067357-1202660629-682003330-9857  Mandatory group, Enabled by default, Enabled group
  DOMxx1\CERTSVC_DCOM_ACCESS           Alias            S-1-5-21-1390067357-1202660629-682003330-46949 Mandatory group, Enabled by default, Enabled group, Local Group
  DOMxx1\RILOE_SCM                     Alias            S-1-5-21-1390067357-1202660629-682003330-1339  Mandatory group, Enabled by default, Enabled group, Local Group
  DOMxx1\C200-DL-APP-SCMUsers          Alias            S-1-5-21-1390067357-1202660629-682003330-55557 Mandatory group, Enabled by default, Enabled group, Local Group
  
  
  PRIVILEGES INFORMATION
  ----------------------
  
  Privilege Name                  Description                               State
  =============================== ========================================= ========
  SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
  SeSecurityPrivilege             Manage auditing and security log          Disabled
  SeBackupPrivilege               Back up files and directories             Disabled
  SeRestorePrivilege              Restore files and directories             Disabled
  SeSystemtimePrivilege           Change the system time                    Disabled
  SeShutdownPrivilege             Shut down the system                      Disabled
  SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
  SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
  SeDebugPrivilege                Debug programs                            Disabled
  SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
  SeSystemProfilePrivilege        Profile system performance                Disabled
  SeProfileSingleProcessPrivilege Profile single process                    Disabled
  SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
  SeLoadDriverPrivilege           Load and unload device drivers            Disabled
  SeCreatePagefilePrivilege       Create a pagefile                         Disabled
  SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
  SeUndockPrivilege               Remove computer from docking station      Disabled
  SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
  SeImpersonatePrivilege          Impersonate a client after authentication Enabled
  SeCreateGlobalPrivilege         Create global objects                     Enabled
  $ grep S-1-2-0 /etc/group
  $ echo local:S-1-2-0:2:adm_usr1 >> /etc/group
  $ wc -l /etc/group
  2691 /etc/group
  $ exit
  logout
  Connection to OurSrvr065 closed.
  [16:02:33 Thu Aug 17 0j 36 2354 ~/Mail]
  [localhost rodmant]$ ssh OurSrvr065 -l adm_usr1 #~adm_usr1 is on a remote share
  adm_usr1@OurSrvr065's password:
  Last login: Thu Aug 17 15:58:07 2006 from 10.165.10.182
  Welcome to ITZG compile engine ..
  Could not chdir to home directory /user/adm_usr1: Permission denied
  -bash: /etc/profile: Permission denied
  -bash: /user/adm_usr1/.bash_profile: Permission denied
  -bash-3.00$ $WINDIR/system32/whoami /all #notice whoami shows wrong user name:
  
  USER INFORMATION
  ----------------
  
  User Name             SID
  ===================== =============================================
  OurSrvr065\sshd_server S-1-5-21-1390067357-1202660629-682003330-5774
  
  
  GROUP INFORMATION
  -----------------
  
  Group Name                       Type             SID                                           Attributes
  ================================ ================ ============================================= ==================================================
  Everyone                         Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
  NT AUTHORITY\Authenticated Users Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
  LOCAL                            Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
  NT AUTHORITY\SERVICE             Well-known group S-1-5-6                                       Mandatory group, Enabled by default, Enabled group
  DOMxx1\ABC_NA-CTX-Notepad-A            Group            S-1-5-21-1390067357-1202660629-682003330-9858 Mandatory group, Enabled by default, Enabled group
  DOMxx1\ABC_NA-DOMxx0-tcm-Users-A          Group            S-1-5-21-1390067357-1202660629-682003330-9968 Mandatory group, Enabled by default, Enabled group
  DOMxx1\XYZ_BLD_MGR                   Group            S-1-5-21-1390067357-1202660629-682003330-6025 Mandatory group, Enabled by default, Enabled group
  DOMxx1\XYZ_ES_ADMIN                  Group            S-1-5-21-1390067357-1202660629-682003330-6026 Mandatory group, Enabled by default, Enabled group
  DOMxx1\XYZ_ES_STAFF                  Group            S-1-5-21-1390067357-1202660629-682003330-6027 Mandatory group, Enabled by default, Enabled group
  DOMxx1\XYZ_Users                     Group            S-1-5-21-1390067357-1202660629-682003330-6024 Mandatory group, Enabled by default, Enabled group
  BUILTIN\Administrators           Alias            S-1-5-32-544                                  Mandatory group, Enabled by default, Enabled group
  BUILTIN\Users                    Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
  
  
  PRIVILEGES INFORMATION
  ----------------------
  
  Privilege Name                  Description                               State
  =============================== ========================================= =======
  SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
  SeImpersonatePrivilege          Impersonate a client after authentication Enabled
  SeCreateGlobalPrivilege         Create global objects                     Enabled
  SeSecurityPrivilege             Manage auditing and security log          Enabled
  SeBackupPrivilege               Back up files and directories             Enabled
  SeRestorePrivilege              Restore files and directories             Enabled
  SeSystemtimePrivilege           Change the system time                    Enabled
  SeShutdownPrivilege             Shut down the system                      Enabled
  SeRemoteShutdownPrivilege       Force shutdown from a remote system       Enabled
  SeTakeOwnershipPrivilege        Take ownership of files or other objects  Enabled
  SeDebugPrivilege                Debug programs                            Enabled
  SeSystemEnvironmentPrivilege    Modify firmware environment values        Enabled
  SeSystemProfilePrivilege        Profile system performance                Enabled
  SeProfileSingleProcessPrivilege Profile single process                    Enabled
  SeIncreaseBasePriorityPrivilege Increase scheduling priority              Enabled
  SeLoadDriverPrivilege           Load and unload device drivers            Enabled
  SeCreatePagefilePrivilege       Create a pagefile                         Enabled
  SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Enabled
  SeUndockPrivilege               Remove computer from docking station      Enabled
  SeManageVolumePrivilege         Perform volume maintenance tasks          Enabled
  -bash-3.00$

> Corinna
> 
> -- 
> Corinna Vinschen                  Please, send mails regarding Cygwin to
> Cygwin Project Co-Leader          cygwin AT cygwin DOT com
> Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]