Mail Archives: cygwin/2005/07/28/16:37:18
Thank you again Pierre.
I appreciate the increased rights ;-> It fixed up more than
just the net drive issue, a couple of my database admin commands that were
failing, now work again in an ssh session.
see comments below
--
regards,
Tom
On Thu 7/28/05 13:22 EDT "Pierre A. Humblet" wrote:
> Tom Rodman wrote:
>
> > The 'id' command indicates user staffuser1 is in group ABC_NA-CTX-Notepad-A.
> > I use this account 'staffuser1', and have no idea what group ABC_NA-CTX-Notepad-A
> > is; I do not think user staffuser1 is really in that group, but you could
> > prove me wrong (how?).
> >
> > This is causing problems in ssh sessions; Pierre A. Humblet supplied
> > me with a workaround: (http://cygwin.com/ml/cygwin/2005-07/msg01287.html).
>
> > How can we determine if user staffuser1 is or is not in group ABC_NA-CTX-Notepad-A?
>
> id reports the groups that are in the (Windows) process token, using
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/gettokeninformation.asp
> Somehow Windows put it there.
>
> The fact that net ... does not report it is consistent with your ssh troubles.
> When ssh asks Windows what groups you are part of, Windows does
> not include ABC_NA-CTX-Notepad-A
> However when ssh asks Windows to log you in (giving your password),
> Windows does include that group in the token. The discrepancy causes
> ssh to create another token, leading to your access troubles on shared drives.
>
> There is a remote chance (I have never observed something like that) that
> the group is in the token but not "enabled", or that SE_GROUP_USE_FOR_DENY_ONLY
> is set, or some such, see the special flags in
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/token_groups.asp
> You may also get a clue by looking at the content of your /tmp/foo001
The users in /tmp/foo001 mean little to me. I did recognize one person
I know out of the ~86 usernames, so maybe I'll talk to him about the
group's purpose and human "creator".
The domain we're in is large - (many thousands of users), and 'mkpasswd -d -l'
fails because it's so large, so I run 'mkpasswd -l', and then individual
'mkpasswd -d -u USERNAME' for our all the end users I support, and cat all these
to /etc/passwd in a daily cron job.
>
> You can easily find out the details by creating a short program using
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/getcurrentprocess.asp
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/openprocesstoken.asp
> and gettokeninformation to list the groups in your token and understand what's going on.
> The group SID can be mapped to a name with
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/lookupaccountsid.asp
> Do you feel able to do that?
I have not had time to thoughly look at your links, but my hunch is
that I will need help writing the program(s) - and that I can get that
help here where I work.
I will keep the mailing list updated, but I expect it may take awhile;
meanwhile I'll use the workaround.
<snip>
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -