This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Windows Server 2012R2 64bit and 32bit Cygwin sshd

From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
To: cygwin at cygwin dot com
Date: Wed, 3 Sep 2014 15:26:16 +0200
Subject: Re: Windows Server 2012R2 64bit and 32bit Cygwin sshd
Authentication-results: sourceware.org; auth=none
References: <8761hphfps dot fsf at Rainer dot invalid> <loom dot 20140902T134545-288 at post dot gmane dot org> <20140902140751 dot GD6056 at calimero dot vinschen dot de> <loom dot 20140902T171114-72 at post dot gmane dot org> <20140902153757 dot GE6056 at calimero dot vinschen dot de> <loom dot 20140903T084528-450 at post dot gmane dot org>
Reply-to: cygwin at cygwin dot com

On Sep  3 07:17, Achim Gratz wrote:
> Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > Don't use privilege separation, then the non-privileged sshd user won't
> > matter at all.  Privsep on Cygwin is only half-useful on Cygwin anyway,
> > if at all.
> 
> I've switched privilege separateion off completely, but no dice.  The Access
> Denied comes from trying to switch from primary group "MACHINE+None" to
> "Domain Users".  That is expected to happen, what I still don't get is why
> the parent process winds up with the exception instead of the originating
> process as on 64bit.

As I wrote, this is a red herring.  A failing setgid is no error at
all.  It has nothing to do with the exception, except for the debug
output preceeding the exception occurance.  Note the

  get_logon_server: DC: server: \\SC301

between them.  This, and the subsequent seterrno_from_win_error in the
parent sshd are a pretty sure sign that the exception is triggered by
the NetUserXXX calls.

> > As for the local cyg_server account, I'm not sure.  Usually,
> > a local machine account has no or only limited access to AD information.
> > As an account which needs AD to get user information it's a bit
> > unfortunate if it doesn't have access.
> 
> When the process comes to this point it has already verified the user via AD.

Yes, but this has nothing to do with it.  Before calling setuid (which
it calls a couple of times during login), sshd calls initgroups for the
new user, POSIX-like.  Initgroups in turn has to call NetUserGetGroups
and NetUserGetLocalGroups on the DC to fetch the full list of groups for
a user.  From the strace it *seems* that the call to NetUserGetGroups in
the grand child sshd process results in simply terminating the process.
The fact that there's no more output *at all* from the grand child
points to Windows killing the process hard.  Lacking any hint why this
occurs, it's just an assumption, of course.

> > The strace shows that it doesn't even *try* to start bash, but it's
> > entirely unclear why.
> 
> Is it possible to run sshd in gdb?

Yes, but Windows/Cygwin gdb don't allow to follow the child process
so it's very tricky.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpadUVXv7j5t.pgp
Description: PGP signature

References:
- Re: Windows Server 2012R2 64bit and 32bit Cygwin sshd
  - From: Achim Gratz
- Re: Windows Server 2012R2 64bit and 32bit Cygwin sshd
  - From: Corinna Vinschen
- Re: Windows Server 2012R2 64bit and 32bit Cygwin sshd
  - From: Achim Gratz
- Re: Windows Server 2012R2 64bit and 32bit Cygwin sshd
  - From: Corinna Vinschen
- Re: Windows Server 2012R2 64bit and 32bit Cygwin sshd
  - From: Achim Gratz

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]