Unable to run sshd under a domain sshd_server account [SOLVED]

Corinna Vinschen corinna-cygwin@cygwin.com
Mon Jun 16 21:03:00 GMT 2008


Hi Thomas,

On May 13 11:09, Schutter, Thomas A. wrote:
> Except that is not what I am seeing.  When I run "id" from a console
> cygwin shell:
>   $ id
>   uid=18718(tschutter) gid=10513(Domain Users)
> groups=544(Administrators),545(Users),10513(Domain
> Users),18169(FDSV-GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins)
> 
> But when I run "id" from a ssh shell:
>   $ id
>   uid=18718(tschutter) gid=10513(Domain Users)
> groups=545(Users),10513(Domain Users)
> 
> So when I am using pubkey authentication, the user token is not a member
> of the "Administrators", "FDSV-GG-PrxBLD", or "FDSV-GG-PrxPCAdmins"
> groups.

Dunno if you fixed this problem in the meantime?  I tested this myself
and debugged this situation.  It turned out (in *my* local scenario),
the the PDC refused to list the groups the user is member of:

  $ id
  uid=11001(corinna) gid=10513(DomUsers) groups=545(Users),10513(DomUsers)

The problem was that the domain sshd_server account has no right to
access the domain controller from the network.  Solution: Open the Local
Security Policy of the DC and look for the User Right "Deny access to
this computer from the network".  You'll find your sshd_server user in
there.  Remove it from this user right.  Try again:

  $ id
  uid=11001(corinna) gid=10513(DomUsers) groups=544(Administrators),
  545(Users),10512(DomAdmins),10513(DomUsers)

If that doesn't help, you'll probbaly have an overriding Domain
Controller Security Policy set.  Look there, set (or reset) the "Deny
access to this computer from the network" user right accordingly and try
again.


HTH,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/



More information about the Cygwin mailing list