Mail Archives: cygwin/2006/08/17/19:49:55
On Wed 8/16/06 23:11 +0200 cygwin AT cygwin DOT com wrote:
> On Aug 16 15:49, Tom Rodman wrote:
> > On Wed 8/16/06 14:44 CDT mwoehlke wrote:
> > > Tom Rodman wrote:
> > > > Hosts effected:
> > > >
> > > > several boxes running windows 2003 server w/cygwin (1.5.20s(0.155/4/2) 20060403 13:33:45)
> > > >
> > > > Problem (or feature?):
> > > >
> > > > when you ssh to these boxes, and run:
> > > >
> > > > $WINDIR/system32/whoami /all |grep -q S-1-2-0 || echo OOPs # "OOPS" echos :-<
> > > >
> > > > "S-1-2-0" == "Users who log on to terminals locally (physically) connected to the system."
> > > > [...]
> > > FWIW, on my 2k3 box, I show up as a member in S-1-2-0 both logged in
> > > "locally" (via Remote Desktop Sharing, with which I have never had
> > > anything "not work") and via Cygwin sshd.
--snip
> Maybe there's a difference between password and pubkey authentication?
we're using password authentication.
> Or it's some security setting? I could easily imagine there's a switch
> in "local Security Settings" or "Domain Security Settings" which drops
> the LOCAL group from the token.
In windows, I ran secpol.msc, and browsed through it looking for something
obvious, nothing jumped out at me.
These boxes are in a large corporate domain, and they do change, and
"push down" domain policies from time to time (often without telling us).
> There's a lot of mysterious stuff in 2K3...
>
> Whatever it is, it must be something related to 2K3. Cygwin doesn't
> differ the different OSes in terms of authentication. I also have the
> LOCAL group as part of my user token on 2K3.
thx for checking, and letting me know
> Temporary Workaround: Add the user to the local group by adding them to
> a manually created entry in /etc/group:
>
> local:S-1-2-0:2:user1,user2,...
tried that.. no joy, take a look:
--v-v------------------C-U-T---H-E-R-E-------------------------v-v--
$ $WINDIR/system32/whoami /all #we're in an ssh session before edits made to /etc/group
USER INFORMATION
----------------
User Name SID
========== =============================================
DOMxx1\adm_usr1 S-1-5-21-1390067357-1202660629-682003330-5774
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
DOMxx1\XYZ_ES_ADMIN Group S-1-5-21-1390067357-1202660629-682003330-6026 Mandatory group, Enabled by default, Enabled group
DOMxx1\XYZ_ES_STAFF Group S-1-5-21-1390067357-1202660629-682003330-6027 Mandatory group, Enabled by default, Enabled group
DOMxx1\XYZ_BLD_MGR Group S-1-5-21-1390067357-1202660629-682003330-6025 Mandatory group, Enabled by default, Enabled group
DOMxx1\ABC_NA-CTX-Notepad-A Group S-1-5-21-1390067357-1202660629-682003330-9858 Mandatory group, Enabled by default, Enabled group
DOMxx1\ABC_NA-DOMxx0-tcm-Users-A Group S-1-5-21-1390067357-1202660629-682003330-9968 Mandatory group, Enabled by default, Enabled group
DOMxx1\XYZ_Users Group S-1-5-21-1390067357-1202660629-682003330-6024 Mandatory group, Enabled by default, Enabled group
DOMxx1\ABC_NA-DL-CTX-Notepad Users-A Alias S-1-5-21-1390067357-1202660629-682003330-9857 Mandatory group, Enabled by default, Enabled group
DOMxx1\CERTSVC_DCOM_ACCESS Alias S-1-5-21-1390067357-1202660629-682003330-46949 Mandatory group, Enabled by default, Enabled group, Local Group
DOMxx1\RILOE_SCM Alias S-1-5-21-1390067357-1202660629-682003330-1339 Mandatory group, Enabled by default, Enabled group, Local Group
DOMxx1\C200-DL-APP-SCMUsers Alias S-1-5-21-1390067357-1202660629-682003330-55557 Mandatory group, Enabled by default, Enabled group, Local Group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeSystemtimePrivilege Change the system time Disabled
SeShutdownPrivilege Shut down the system Disabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
$ grep S-1-2-0 /etc/group
$ echo local:S-1-2-0:2:adm_usr1 >> /etc/group
$ wc -l /etc/group
2691 /etc/group
$ exit
logout
Connection to OurSrvr065 closed.
[16:02:33 Thu Aug 17 0j 36 2354 ~/Mail]
[localhost rodmant]$ ssh OurSrvr065 -l adm_usr1 #~adm_usr1 is on a remote share
adm_usr1 AT OurSrvr065's password:
Last login: Thu Aug 17 15:58:07 2006 from 10.165.10.182
Welcome to ITZG compile engine ..
Could not chdir to home directory /user/adm_usr1: Permission denied
-bash: /etc/profile: Permission denied
-bash: /user/adm_usr1/.bash_profile: Permission denied
-bash-3.00$ $WINDIR/system32/whoami /all #notice whoami shows wrong user name:
USER INFORMATION
----------------
User Name SID
===================== =============================================
OurSrvr065\sshd_server S-1-5-21-1390067357-1202660629-682003330-5774
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
DOMxx1\ABC_NA-CTX-Notepad-A Group S-1-5-21-1390067357-1202660629-682003330-9858 Mandatory group, Enabled by default, Enabled group
DOMxx1\ABC_NA-DOMxx0-tcm-Users-A Group S-1-5-21-1390067357-1202660629-682003330-9968 Mandatory group, Enabled by default, Enabled group
DOMxx1\XYZ_BLD_MGR Group S-1-5-21-1390067357-1202660629-682003330-6025 Mandatory group, Enabled by default, Enabled group
DOMxx1\XYZ_ES_ADMIN Group S-1-5-21-1390067357-1202660629-682003330-6026 Mandatory group, Enabled by default, Enabled group
DOMxx1\XYZ_ES_STAFF Group S-1-5-21-1390067357-1202660629-682003330-6027 Mandatory group, Enabled by default, Enabled group
DOMxx1\XYZ_Users Group S-1-5-21-1390067357-1202660629-682003330-6024 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeSystemtimePrivilege Change the system time Enabled
SeShutdownPrivilege Shut down the system Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
-bash-3.00$
> Corinna
>
> --
> Corinna Vinschen Please, send mails regarding Cygwin to
> Cygwin Project Co-Leader cygwin AT cygwin DOT com
> Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -