This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

RE: Unable to run sshd under a domain sshd_server account [SOLVED]

> -----Original Message-----
> From: Schutter, Thomas A.
> Sent: Monday, May 12, 2008 9:52 AM
> To: ''
> Subject: Unable to run sshd under a domain sshd_server account
> I am having problems setting up sshd to run under a domain sshd_server
> account instead of a local sshd_server account.
> Why do I want to do that?  Because in the default install, starting a
> cygwin shell from the console gives me a much different environment
> permissions than if I start a cygwin shell via ssh.  For example, from
> a console shell on the Windows 2003 Server:
>   $ echo $USER
>   tschutter
>   $ echo $USERNAME
>   tschutter
>   $ echo $HOSTNAME
>   fdsvbld01sgrape
>   $ echo $USERDOMAIN
>   $ id
>   uid=18718(tschutter) gid=10513(Domain Users)
> groups=544(Administrators),545(Users),10513(Domain Users),18169(FDSV-
> GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins)
>   $ ls //other/f$
>   Data          RECYCLER        System\ Volume\ Information
> But when I login via ssh:
>   $ echo $USER
>   tschutter
>   $ echo $USERNAME
>   sshd_server
>   $ echo $HOSTNAME
>   fdsvbld01sgrape
>   $ echo $USERDOMAIN
>   $ id
>   uid=18718(tschutter) gid=10513(Domain Users)
> groups=545(Users),10513(Domain Users)
>   $ ls //other/f$
>   ls: cannot access //other/f$: Permission denied
> The sshd server was setup using "ssh-host-config --yes". So it appears
> that when I login via ssh, I am logged in as a local user, not a
> user.  Also, when logged in via ssh, I am not in the Administrators,
> FDSV-GG-PrxBLD, and FDSV-GG-PrxPCAdmins groups.  As a side note, I
> would think that USERNAME being set to sshd_server is a bug.
> It appears that the solution is to create a domain sshd_server account
> and run sshd as that user.  So I created a domain account called
> sa-prx-sshdsrvr".  I gave this account the required rights:
>   $ editrights -a SeCreateTokenPrivilege -u fdsv-sa-prx-sshdsrvr
>   $ editrights -a SeTcbPrivilege -u fdsv-sa-prx-sshdsrvr
>   $ editrights -a SeDenyInteractiveLogonRight -u fdsv-sa-prx-sshdsrvr
>   $ editrights -a SeDenyNetworkLogonRight -u fdsv-sa-prx-sshdsrvr
>   $ editrights -a SeDenyRemoteInteractiveLogonRight -u fdsv-sa-prx-
> sshdsrvr
>   $ editrights -a SeIncreaseQuotaPrivilege -u fdsv-sa-prx-sshdsrvr
>   $ editrights -a SeServiceLogonRight -u fdsv-sa-prx-sshdsrvr
> I added fdsv-sa-prx-sshdsrvr to local "Administrators" group.
> I changed the ownership of the /etc/ssh files and /var/empty:
>   $ chown fdsv-sa-prx-sshdsrvr /etc/ssh* /var/empty
> I changed the log on account for the "CYGWIN sshd" service to the
> sa-prx-sshdsrvr account.
> I then tried to start the service:
>   $ net start sshd
>   The CYGWIN sshd service is starting.
>   The CYGWIN sshd service could not be started.
>   The service did not report an error.
>   More help is available by typing NET HELPMSG 3534.
> The application event log has this error message:
>   The description for Event ID ( 0 ) in Source ( sshd ) cannot be
> found. The local computer may not have the necessary registry
> information or message DLL files to display messages from a remote
> computer. You may be able to use the /AUXSOURCE= flag to retrieve this
> description; see Help and Support for details. The following
> information is part of the event: sshd: PID 2068: service `sshd'
> failed: signal 11 raised.
> I have attached the output from "cygcheck -s -v -r" as grape-
> cygcheck.out.
> So where do I go from here?  What am I missing?

First, I am sorry that I broke the original thread.  I was not
subscribed to the list when I made the first post, so I was unable to
reply to that thread.

I solved the problem.  I had missed the /var/log files when changing
ownership to the new domain sshd_server account.  The chown command
above should be:
  chown fdsv-sa-prx-sshdsrvr /etc/ssh* /var/empty /var/log/lastlog

Now the sshd server starts, and when I login my id is correct, and I can
view shares:
  $ echo $USERDOMAIN
  $ id
  uid=18718(tschutter) gid=10513(Domain Users)
  $ ls //other/f$
  Data          RECYCLER        System\ Volume\ Information

Note that my USERNAME is still wrong:
  $ echo $USERNAME

Although this method of creating and using a domain sshd_server account
is not one of the recommended workarounds, it appears to work.

In the other thread, Larry Hall pointed me to the FAQ One of the
suggestions was to "provide your password to a net use command".  I was
unable to make that work, because "net use" never asks for my password:
  $ net use \\other\f$
  System error 67 has occurred.

  The network name cannot be found.

As Larry Hall pointed out in the other thread, the cyglsa dll should
solve this problem and I look forward to trying it out when 1.7.x is
available.  I am not ready to jump to snapshots at this time.

Tom Schutter
First American - Proxix Solutions
(512) 977-6822

Unsubscribe info:
Problem reports:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]