This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

RE: Unable to run sshd under a domain sshd_server account [SOLVED]

On Mon, 12 May 2008, Schutter, Thomas A. wrote:

> > -----Original Message-----
> > From: Schutter, Thomas A.
> > Sent: Monday, May 12, 2008 9:52 AM
> > To: 'cygwin@XXXXXX.XXX'


> > Subject: Unable to run sshd under a domain sshd_server account
> >
> > I am having problems setting up sshd to run under a domain sshd_server
> > account instead of a local sshd_server account.
> > [snip]
> > But when I login via ssh:
> >   $ echo $USER
> >   tschutter
> >   $ echo $USERNAME
> >   sshd_server

Yes -- Windows does not understand user impersonation and does not allow
real user switching.  So what sshd does is invoke processes with the
appropriate token privileges for the user it's impersonating, while
updating internal Cygwin data structures, but still running as
sshd_server.  So Cygwin sees the right user (in its internal state), but
Windows processes, of course, don't.

> > The application event log has this error message:
> >   The description for Event ID ( 0 ) in Source ( sshd ) cannot be
> > found. The local computer may not have the necessary registry
> > information or message DLL files to display messages from a remote
> > computer. You may be able to use the /AUXSOURCE= flag to retrieve this
> > description; see Help and Support for details. The following
> > information is part of the event: sshd: PID 2068: service `sshd'
> > failed: signal 11 raised.

Oops -- a segfault.  This is definitely a bug somewhere -- no matter what,
sshd should not segfault.

> First, I am sorry that I broke the original thread.  I was not
> subscribed to the list when I made the first post, so I was unable to
> reply to that thread.

There is a way to do this with the help of the archives.  I've posted the
recipe multiple times -- you should be able to find it in the archives.

> I solved the problem.  I had missed the /var/log files when changing
> ownership to the new domain sshd_server account.  The chown command
> above should be:
>   chown fdsv-sa-prx-sshdsrvr /etc/ssh* /var/empty /var/log/lastlog
> /var/log/sshd.log
> Now the sshd server starts, and when I login my id is correct, and I can
> view shares:
>   $ echo $USERDOMAIN
>   $ id
>   uid=18718(tschutter) gid=10513(Domain Users)
> groups=544(Administrators),545(Users),10513(Domain
> Users),18169(FDSV-GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins)
>   $ ls //other/f$
>   Data          RECYCLER        System\ Volume\ Information
> Note that my USERNAME is still wrong:
>   $ echo $USERNAME
>   fdsv-sa-prx-sshdsrvr

See above.

> Although this method of creating and using a domain sshd_server account
> is not one of the recommended workarounds, it appears to work.
> In the other thread, Larry Hall pointed me to the FAQ
> One of the
> suggestions was to "provide your password to a net use command".  I was
> unable to make that work, because "net use" never asks for my password:
>   $ net use \\other\f$
>   System error 67 has occurred.
>   The network name cannot be found.

See "net help use":
  The syntax of this command is:
  [devicename | *] [\\computername\sharename[\volume] [password | *]]
  password         Is the password needed to access the shared resource.
  *                Produces a prompt for the password. The password is
                   not displayed when you type it at the password prompt.

So, you need to type "net use '\\other\f$' \*" (note the escaped/quoted
'*'), and it'll prompt you for the password.

> As Larry Hall pointed out in the other thread, the cyglsa dll should
> solve this problem and I look forward to trying it out when 1.7.x is
> available.  I am not ready to jump to snapshots at this time.

      |\      _,,,---,,_ |
ZZZzz /,`.-'`'    -.  ;-;;,_		Igor Peshansky, Ph.D. (name changed!)
     |,4-  ) )-,_. ,\ (  `'-'		old name: Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"That which is hateful to you, do not do to your neighbor.  That is the whole
Torah; the rest is commentary.  Go and study it." -- Rabbi Hillel

Unsubscribe info:
Problem reports:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]