This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Unable to run sshd under a domain sshd_server account [SOLVED]

On May 13 11:09, Schutter, Thomas A. wrote:
> > -----Original Message-----
> > On May 12 18:29, Igor Peshansky wrote:
> > > On Mon, 12 May 2008, Schutter, Thomas A. wrote:
> > > Yes -- Windows does not understand user impersonation and does not
> > allow
> > > real user switching.  So what sshd does is invoke processes with the
> > > appropriate token privileges for the user it's impersonating, while
> > > updating internal Cygwin data structures, but still running as
> > > sshd_server.  So Cygwin sees the right user (in its internal state),
> > but
> > > Windows processes, of course, don't.
> > 
> > That's not correct.  This problem cropped up on the list a lot
> already.
> > When not using password authentication, Cygwin has to create a user
> > token from scratch.  The resulting processes are running under a
> normal
> > user token with correctly set user and group ownership.
> Except that is not what I am seeing.  When I run "id" from a console
> cygwin shell:
>   $ id
>   uid=18718(tschutter) gid=10513(Domain Users)
> groups=544(Administrators),545(Users),10513(Domain
> Users),18169(FDSV-GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins)
> But when I run "id" from a ssh shell:
>   $ id
>   uid=18718(tschutter) gid=10513(Domain Users)
> groups=545(Users),10513(Domain Users)
> So when I am using pubkey authentication, the user token is not a member
> of the "Administrators", "FDSV-GG-PrxBLD", or "FDSV-GG-PrxPCAdmins"
> groups.

That wasn't what I was talking about.  I was just referring to the
assertion that Windows doesn't know about user impersonation or
user switching.

As for your user token, Cygwin tries to get information about the user
by asking the local machine what local and global groups the user is
member in.  Some local groups are only in the user's group list, because
one of the global grouyps is in turn member of a local group, which is
probably the case for the Admin's group.  For some reason your local
machine doesn't return any of the information about the global domain
groups your user is member in.  Possible reasons are that retrieving the
PDC for the user's domain fails, or that the PDC refuses to list the
user's groups for some reason.  That's something you would have to debug
in your local installation.


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

Unsubscribe info:
Problem reports:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]