This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])


Charles, Ping?

On Jun 16 23:13, Corinna Vinschen wrote:
> Oh, btw., Charles, that's one for you.
> 
> On Jun 16 23:01, Corinna Vinschen wrote:
> > On May 13 11:09, Schutter, Thomas A. wrote:
> > > So when I am using pubkey authentication, the user token is not a member
> > > of the "Administrators", "FDSV-GG-PrxBLD", or "FDSV-GG-PrxPCAdmins"
> > > groups.
> > 
> > the the PDC refused to list the groups the user is member of:
> > 
> >   $ id
> >   uid=11001(corinna) gid=10513(DomUsers) groups=545(Users),10513(DomUsers)
> > 
> > The problem was that the domain sshd_server account has no right to
> > access the domain controller from the network.  Solution: Open the Local
> > Security Policy of the DC and look for the User Right "Deny access to
> > this computer from the network".  You'll find your sshd_server user in
> > there.  Remove it from this user right.  Try again:
> 
> This user right shouldn't be set anymore in the
> csih/cygwin-service-installation-helper.sh script.  Patch follows:
> [...]

In the meantime it turned out that the right to logon interactively
should also be given to the cyg_server account.  Otherwise you get
spurious logon failure events in the security event on the DC related to
the cyg_server account.

While I'm at it, I'd like to propose the following changes as well:

- Don't test for the "Deny Logon" rights in
  csih_account_has_necessary_privileges.  After all, these rights are
  only additional security measures, but not at all necessary to do the
  job.

- Don't test or set the SeIncreaseQuotaPrivilege privilege.  This is
  given to Administrators by default anyway and if the right is not
  given to cyg_server explicitely, the test will fail, because
  editrights doesn't test the groups in the token, only the user itself.
  Actually that's something which would be worth a fix to editrights.

So the patch I propose looks like this:

	* cygwin-service-installation-helper.sh
	(csih_account_has_necessary_privileges): Don't explicitely test for
	SeDenyXXX rights, nor for SeIncreaseQuotaPrivilege.
 	(csih_create_privileged_user): Drop setting SeDenyInteractiveLogonRight,
	SeDenyNetworkLogonRight, and SeIncreaseQuotaPrivilege.

--- cygwin-service-installation-helper.sh.ORIG	2008-06-16 23:07:36.017432500 +0200
+++ cygwin-service-installation-helper.sh	2008-06-22 21:31:57.612588900 +0200
@@ -1639,10 +1639,6 @@ csih_account_has_necessary_privileges() 
           editrights -l -u "${user}" | fgrep SeAssignPrimaryTokenPrivilege     >/dev/null 2>&1 &&
           editrights -l -u "${user}" | fgrep SeCreateTokenPrivilege            >/dev/null 2>&1 &&
           editrights -l -u "${user}" | fgrep SeTcbPrivilege                    >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeDenyInteractiveLogonRight       >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeDenyNetworkLogonRight           >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeDenyRemoteInteractiveLogonRight >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeIncreaseQuotaPrivilege          >/dev/null 2>&1 &&
           editrights -l -u "${user}" | fgrep SeServiceLogonRight               >/dev/null 2>&1
           return # status of previous command-list
         fi
@@ -2105,10 +2101,7 @@ csih_create_privileged_user()
         editrights -a SeAssignPrimaryTokenPrivilege -u ${username} &&
         editrights -a SeCreateTokenPrivilege -u ${username} &&
         editrights -a SeTcbPrivilege -u ${username} &&
-        editrights -a SeDenyInteractiveLogonRight -u ${username} &&
-        editrights -a SeDenyNetworkLogonRight -u ${username} &&
         editrights -a SeDenyRemoteInteractiveLogonRight -u ${username} &&
-        editrights -a SeIncreaseQuotaPrivilege -u ${username} &&
         editrights -a SeServiceLogonRight -u ${username} &&
         username_got_all_rights="yes"
         if [ "${username_got_all_rights}" != "yes" ]


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]