Mail Archives: cygwin/2006/08/30/20:12:15
--=_zob.asperasoft.com-21200-1156979468-0001-2
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
/I'm attaching the whoami results:
whoami-win.txt - whoami ran when logged on the Windows computer
directly (both OFFICE\test1 and SM2WIN2003\local1)
whoami-ssh.txt - whoami ran while ssh-ed in as the user test1 (in both
cases, with and without the Test User group in /etc/group) and user local1
The interesting observations are:
- when ssh-ed as user test1, the SID reported by whoami is the correct
SID of the user in both cases. In one case the name is correct, in the
other the name is sshd_server
- when ssh-ed as user test1 with the stripped off /etc/group such that
whoami displays the right user, the group information is almost
identical to whoami ran logged on directly through Windows, with the
exception of group LOCAL, missing.
(also forgot to mention, the credit for the idea of stripping off
/etc/group goes to Dave Perdue)
From/: "Larry Hall (Cygwin)" <reply-to-list-only-lh at cygwin dot com>/
To/: cygwin at cygwin dot com/
Date/: Wed, 30 Aug 2006 17:54:57 -0400/
Subject/: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami
sshd_server (password auth)/
References/: <44F5FD93 DOT 1020503 AT asperasoft DOT com
<http://cygwin.com/ml/cygwin/2006-08/msg01056.html>>/
Reply-to/: cygwin at cygwin dot com
Serban Simu wrote:
I did notice a number of postings around this subject, but couldn't
see a resolution (Corinna answered a Feb '06 posting by Dave Perdue
that the problem should be fixed in 1.5.20, which is why I'm
reposting for 1.5.21).
I am exclusively using password auth (and am aware of the pubkey
auth limitations).
The basic setup is a Win 2003 R2 standard server, member of a domain
(machine name is SM2WIN2003 and domain is OFFICE). Installed 1.5.21
and ran ssh-host-config. All goes well and I have sshd service
running as local user sshd_server.
Then ran mkpasswd and mkgroup:
mkpasswd -l > /etc/passwd
mkpasswd -d >> /etc/passwd (I only have one domain so this is same
as mkpasswd -d OFFICE)
mkgroup -l > /etc/group
mkgroup -d >> /etc/group
If I ssh as a local user "local1", windows whoami returns
sm2win2003\local1
If I ssh as domain user "test1", windows whoami returns
sm2win2003\sshd_server (BAD)
If I strip the /etc/group file to only:
SYSTEM:S-1-5-18:18:
None:S-1-5-21-3712540747-3723856708-2352634044-513:513:
Domain Users:S-1-5-21-4293257363-1756470469-1603820055-513:10513:
Then ssh as domain user "test1", windows whoami returns office\test1
(GOOD)
Now, I tried adding the minimum possible to /etc/group to create the
problem, so if I just add one line:
SYSTEM:S-1-5-18:18:
None:S-1-5-21-3712540747-3723856708-2352634044-513:513:
Domain Users:S-1-5-21-4293257363-1756470469-1603820055-513:10513:
Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:
Then ssh as domain user "test1", windows whoami returns
sm2win2003\sshd_server (BAD)
My domain user test1 is a member of domain group Test Users.
So my questions would be:
(1) I did find a work around, but what is the explanation of this
problem and what is a good, solid work around?
(2) Is there a way and a plan to straighten this behavior, and maybe
document the usage in Win 2003 domain environments (I'm assuming
that most people would be interested in accessing network resources
in Win 2003 domains, which is why this is a problem in the first place)
Also, I believe that I didn't have this problem on older Win 2003
(before R2), but I no longer have a test setup to confirm it.
Attached is the full "whoami /all" output and cygcheck.out.
Interesting results. It would be interesting to see what "whoami /all"
reports for these users locally as well, without the sshd "filter". I
expect the issue at hand here is that one group for each user is the
primary group. My WAG is that "Test Users" is the primary group for
the user "test1". Off the top of my head, it's not clear how adding
the group to the '/etc/group' file changes things though.
--
Larry Hall http://www.rfk.com
RFK Partners, Inc. (508) 893-9779 - RFK Office
216 Dalton Rd. (508) 893-9889 - FAX
Holliston, MA 01746
--=_zob.asperasoft.com-21200-1156979468-0001-2
Content-Type: text/plain; name="whoami-win.txt"; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="whoami-win.txt"
##########################################################################
# Locally logged in user OFFICE\test1 #
##########################################################################
USER INFORMATION
----------------
User Name SID
============ ==============================================
office\test1 S-1-5-21-4293257363-1756470469-1603820055-1125
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
OFFICE\Test Users Group S-1-5-21-4293257363-1756470469-1603820055-1123 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeSystemtimePrivilege Change the system time Disabled
SeShutdownPrivilege Shut down the system Disabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
##########################################################################
# Locally logged in user SM2WIN2003\local1 #
##########################################################################
USER INFORMATION
----------------
User Name SID
================= ==============================================
sm2win2003\local1 S-1-5-21-3712540747-3723856708-2352634044-1009
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ======================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
--=_zob.asperasoft.com-21200-1156979468-0001-2
Content-Type: text/plain; name="whoami-ssh.txt"; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="whoami-ssh.txt"
#####################################################################
# LOGIN AS LOCAL USER local1 #
#####################################################################
C:\>ssh local1 AT 192 DOT 168 DOT 3 DOT 54
local1 AT 192 DOT 168 DOT 3 DOT 54's password:
local1 AT sm2win2003 ~$ C:/windows/system32/whoami /all
USER INFORMATION
----------------
User Name SID
================= ==============================================
sm2win2003\local1 S-1-5-21-3712540747-3723856708-2352634044-1009
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ======================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
local1 AT sm2win2003 ~
$ exit
logout
Connection to 192.168.3.54 closed.
#####################################################################
# LOGIN AS DOMAIN USER test1 (/etc/group has Test Users) #
#####################################################################
C:\>ssh test1 AT 192 DOT 168 DOT 3 DOT 54
test1 AT 192 DOT 168 DOT 3 DOT 54's password:
Last login: Wed Aug 30 11:43:21 2006 from 192.168.1.12
test1 AT sm2win2003 ~$ c:/windows/system32/whoami /all
USER INFORMATION
----------------
User Name SID
====================== ==============================================
sm2win2003\sshd_server S-1-5-21-4293257363-1756470469-1603820055-1125
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeSystemtimePrivilege Change the system time Enabled
SeShutdownPrivilege Shut down the system Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
test1 AT sm2win2003 ~
$ exit
logout
Connection to 192.168.3.54 closed.
#####################################################################
# LOGIN AS DOMAIN USER test1 (/etc/group doesn't have Test Users) #
#####################################################################
C:\Documents and Settings\asp1\Desktop>ssh test1 AT 192 DOT 168 DOT 3 DOT 54
test1 AT 192 DOT 168 DOT 3 DOT 54's password:
Last login: Wed Aug 30 13:05:37 2006 from 192.168.1.12
test1 AT sm2win2003 ~
$ c:/windows/system32/whoami /all
USER INFORMATION
----------------
User Name SID
============ ==============================================
office\test1 S-1-5-21-4293257363-1756470469-1603820055-1125
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ =====================================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
OFFICE\Test Users Group S-1-5-21-4293257363-1756470469-1603820055-1123 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeSystemtimePrivilege Change the system time Disabled
SeShutdownPrivilege Shut down the system Disabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
test1 AT sm2win2003 ~
$ exit
logout
Connection to 192.168.3.54 closed.
--=_zob.asperasoft.com-21200-1156979468-0001-2
Content-Type: text/plain; charset=us-ascii
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
--=_zob.asperasoft.com-21200-1156979468-0001-2--
- Raw text -