delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2006/08/30/17:55:15

X-Spam-Check-By: sourceware.org
Message-ID: <44F60931.1030604@cygwin.com>
Date: Wed, 30 Aug 2006 17:54:57 -0400
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.5) Gecko/20060727 Fedora/1.5.0.5-1.fc4.remi Thunderbird/1.5.0.5 Mnenhy/0.7.4.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)
References: <44F5FD93 DOT 1020503 AT asperasoft DOT com>
In-Reply-To: <44F5FD93.1020503@asperasoft.com>
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Serban Simu wrote:
> I did notice a number of postings around this subject, but couldn't see 
> a resolution (Corinna answered a Feb '06 posting by Dave Perdue that the 
> problem should be fixed in 1.5.20, which is why I'm reposting for 1.5.21).
> 
> I am exclusively using password auth (and am aware of the pubkey auth 
> limitations).
> 
> The basic setup is a Win 2003 R2 standard server, member of a domain 
> (machine name is SM2WIN2003 and domain is OFFICE). Installed 1.5.21 and 
> ran ssh-host-config. All goes well and I have sshd service running as 
> local user sshd_server.
> 
> Then ran mkpasswd and mkgroup:
> mkpasswd -l > /etc/passwd
> mkpasswd -d >> /etc/passwd      (I only have one domain so this is same 
> as mkpasswd -d OFFICE)
> mkgroup -l > /etc/group
> mkgroup -d >> /etc/group
> 
> If I ssh as a local user "local1", windows whoami returns  
> sm2win2003\local1
> If I ssh as domain user "test1", windows whoami returns  
> sm2win2003\sshd_server   (BAD)
> 
> If I strip the /etc/group file to only:
>    SYSTEM:S-1-5-18:18:
>    None:S-1-5-21-3712540747-3723856708-2352634044-513:513:
>    Domain Users:S-1-5-21-4293257363-1756470469-1603820055-513:10513:
> Then ssh as domain user "test1", windows whoami returns office\test1   
> (GOOD)
> 
> Now, I tried adding the minimum possible to /etc/group to create the 
> problem, so if I just add one line:
>    SYSTEM:S-1-5-18:18:
>    None:S-1-5-21-3712540747-3723856708-2352634044-513:513:
>    Domain Users:S-1-5-21-4293257363-1756470469-1603820055-513:10513:
>   Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:
> Then ssh as domain user "test1", windows whoami returns 
> sm2win2003\sshd_server  (BAD)
> 
> My domain user test1 is a member of domain group Test Users.
> 
> So my questions would be:
> 
> (1) I did find a work around, but what is the explanation of this 
> problem and what is a good, solid work around?
> (2) Is there a way and a plan to straighten this behavior, and maybe 
> document the usage in Win 2003 domain environments (I'm assuming that 
> most people would be interested in accessing network resources in Win 
> 2003 domains, which is why this is a problem in the first place)
> 
> Also, I believe that I didn't have this problem on older Win 2003 
> (before R2), but I no longer have a test setup to confirm it.
> 
> Attached is the full "whoami /all" output and cygcheck.out.
> 


Interesting results.  It would be interesting to see what "whoami /all"
reports for these users locally as well, without the sshd "filter".  I
expect the issue at hand here is that one group for each user is the
primary group.  My WAG is that "Test Users" is the primary group for
the user "test1".  Off the top of my head, it's not clear how adding
the group to the '/etc/group' file changes things though.


-- 
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
216 Dalton Rd.                          (508) 893-9889 - FAX
Holliston, MA 01746

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019