Mail Archives: cygwin/2006/08/23/14:53:37
On Wed 8/23/06 9:43 +0200 cygwin AT cygwin DOT com wrote:
> On Aug 21 11:13, Tom Rodman wrote:
> > On Fri 8/18/06 16:28 +0200 cygwin AT cygwin DOT com wrote:
> > > The trick using /etc/group only works for password-LESS authentication,
> > > sorry for not mentioning it, but usually the problems reported here are
> > > with passwordless authentication so I just assumed this is the case here, too.
> >
> > A trick using /etc/group *does* work for password authentication - at
> > least for domain groups. We edit /etc/group, every day via a cron job -
>
> Hmm, I'm a bit irritated since actually it can't work, at least not as
> you'd expect. If a user token created by a password logon is not matching
> the groups you added it to, the token is treated as invalid. This would
> happen, for instance, if the authenticating application (say, sshd), uses
> setgroups(2) with an entirely different set of groups. The result is that
> a new token is created in Cygwin, which has nothing to do with the
> orinal password token. Especially the new token is missing the network
> credentials and the user is again running in the wrong logon session.
> This is all a bit tricky. Right now, I don't know if it's possible to
> create a token with network credentials at all.
Thanks as always for responding Corinna.
I'm answering somewhat hurriedly, let me know if you need more specifics..
Here is empirical evidence that our password authenticated ssh
sessions benefit from daily automatic edits of /etc/group:
$ whoami #we're now in a password authenticated session to server OurSrvr065
adm_usr1
$ pwd -P; mount |grep /adm
/adm/sa/tmp
\\OurSrvr063\tcm\adm on /adm type system (binmode,noexec)
$ uname -a
CYGWIN_NT-5.2 OurSrvr065 1.5.20s(0.155/4/2) 20060403 13:33:45 i686 Cygwin
$ pwd -P; mount |grep /adm
/adm/sa/tmp
\\OurSrvr063\tcm\adm on /adm type system (binmode,noexec)
$ grep adm_usr1 /etc/group|sed -eG #sorry I'm not wrapping these lines
ABC_NA-CTX-Notepad-A:S-1-5-21-1390067357-1202660629-682003330-9858:19858:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root
ABC_NA-DOMxx0-tcm-Users-A:S-1-5-21-1390067357-1202660629-682003330-9968:19968:staffuser2,adm_usr1
Domain Users:S-1-5-21-1390067357-1202660629-682003330-513:10513:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root
XYZ_BLD_MGR:S-1-5-21-1390067357-1202660629-682003330-6025:16025:staffuser2,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root
XYZ_ES_ADMIN:S-1-5-21-1390067357-1202660629-682003330-6026:16026:staffuser1,adm_usr1,adm_usr2,doejohn
XYZ_ES_STAFF:S-1-5-21-1390067357-1202660629-682003330-6027:16027:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root
XYZ_Users:S-1-5-21-1390067357-1202660629-682003330-6024:16024:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root
$ id -G; id -Gn
16027 544 19858 19968 10513 16025 16026 16024 545
XYZ_ES_STAFF Administrators ABC_NA-CTX-Notepad-A ABC_NA-DOMxx0-tcm-Users-A Domain Users XYZ_BLD_MGR XYZ_ES_ADMIN XYZ_Users Users
$ getfacl .
# file: .
# owner: staffuser2
# group: XYZ_ES_STAFF
user::rwx
group::rwx
mask:rwx
other:rwx
default:user::rwx
default:group::rwx
default:other:rwx
$ dacl -s //OurSrvr063/tcm #an alias for "setacl", setacl dumps windows permissions for the share:
+ setacl -on '\\OurSrvr063\tcm' -ot shr -actn list -lst 'f:tab;w:o,g,d,s;i:y;s:n'
\\OurSrvr063\tcm
Owner: BUILTIN\Administrators
Group: DOMxx1\Domain Users
DACL(not_protected):
BUILTIN\Administrators full allow no_inheritance
DOMxx1\C200-DL-APP-XYZUsers full allow no_inheritance
Everyone read allow no_inheritance
DOMxx1\XYZ_Users full allow no_inheritance
DOMxx0\XYZ_USERS full allow no_inheritance
SetACL finished successfully.
+ set +x
$ touch toss686867
$ echo hi > toss686867 #writing to a file on a network share in a password autheticated ssh session
$ ls -l toss686867
-rw-rw-r-- 1 adm_usr1 XYZ_ES_STAFF 3 Aug 23 12:43 toss686867
$ rm toss686867
$ egrep '^XYZ_BLD_MGR' /etc/group #notice "adm_usr1" has been added, we will soon remove him..
XYZ_BLD_MGR:S-1-5-21-1390067357-1202660629-682003330-6025:16025:staffuser2,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root
$ perl -pe 's~adm_usr1,~~ if (m{^XYZ_BLD_MGR});' /etc/group|grep XYZ_BLD_MGR
XYZ_BLD_MGR:S-1-5-21-1390067357-1202660629-682003330-6025:16025:staffuser2,adm_usr2,doejohn,crodmat,bcm_root
$ cd /etc
$ cp group /tmp
$ perl -ibackup_wed01 -pe 's~adm_usr1,~~ if (m{^XYZ_BLD_MGR});' /etc/group #removing adm_usr1
$ diff /etc/group /tmp #the perl /etc/group edit above will position next ssh session to fail..
--- /etc/group 2006-08-23 12:47:50.840153600 -0500
+++ /tmp/group 2006-08-23 07:10:33.525216000 -0500
@@ -2214,7 +2214,7 @@
SBE-CG_SBE_OFFICE:S-1-5-21-1390067357-1202660629-682003330-12336:22336:
SBE-Everyone:S-1-5-21-1390067357-1202660629-682003330-12335:22335:
SBE_Everyone:S-1-5-21-1390067357-1202660629-682003330-12337:22337:
-XYZ_BLD_MGR:S-1-5-21-1390067357-1202660629-682003330-6025:16025:staffuser2,adm_usr2,doejohn,crodmat,bcm_root
+XYZ_BLD_MGR:S-1-5-21-1390067357-1202660629-682003330-6025:16025:staffuser2,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root
XYZ_ES_ADMIN:S-1-5-21-1390067357-1202660629-682003330-6026:16026:staffuser1,adm_usr1,adm_usr2,doejohn
XYZ_ES_STAFF:S-1-5-21-1390067357-1202660629-682003330-6027:16027:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root
XYZ_Users:S-1-5-21-1390067357-1202660629-682003330-6024:16024:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root
$ exit
logout
Connection to OurSrvr065 closed.
--snip
[12:49:24 Wed Aug 23 0j 36 2354 ~/Mail]
[localhost rodmant]$ ssh OurSrvr065 -l adm_usr1
adm_usr1 AT OurSrvr065's password:
Last login: Wed Aug 23 12:48:54 2006 from 10.165.10.182
Welcome to ITZG compile engine ..
Could not chdir to home directory /user/adm_usr1: Permission denied
-bash: /etc/profile: Permission denied
-bash: /user/adm_usr1/.bash_profile: Permission denied
-bash-3.00$ cd /etc
-bash-3.00$ cat /tmp/group > group #adm_usr1 put back in domain group 16025 again
-bash-3.00$ exit # next ssh session will be able to write to network drives again
logout
-bash: /user/adm_usr1/.bash_logout: Permission denied
Connection to OurSrvr065 closed.
[12:50:02 Wed Aug 23 0j 36 2354 ~/Mail]
[localhost rodmant]$ ssh OurSrvr065 -l adm_usr1 # start another password authenticated session
adm_usr1 AT OurSrvr065's password:
Last login: Wed Aug 23 12:49:39 2006 from 10.165.10.182
Welcome to ITZG compile engine ..
$ cd /adm/sa/tmp
$ touch toss9879789
$ echo hi >> toss9879789
$
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -