Mail Archives: cygwin/2006/08/31/13:01:43

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2006/08/31/13:01:43

X-Spam-Check-By: sourceware.org

Message-ID: <44F715E7.6070609@cygwin.com>

Date: Thu, 31 Aug 2006 13:01:27 -0400

From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>

Reply-To: cygwin AT cygwin DOT com

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.5) Gecko/20060727 Fedora/1.5.0.5-1.fc4.remi Thunderbird/1.5.0.5 Mnenhy/0.7.4.0

MIME-Version: 1.0

To: cygwin AT cygwin DOT com

Subject: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)

References: <44F5FD93 DOT 1020503 AT asperasoft DOT com> <20060831161354 DOT GR20467 AT calimero DOT vinschen DOT de>

In-Reply-To: <20060831161354.GR20467@calimero.vinschen.de>

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Corinna Vinschen wrote:
> On Aug 30 14:05, Serban Simu wrote:
>> So my questions would be:
>>
>> (1) I did find a work around, but what is the explanation of this 
>> problem and what is a good, solid work around?
> 
> After some debugging I found that the explanation is that sshd drops
> all supplementary groups from the otherwise privileged user token. 
> This results in a minimized user token when calling initgroups, which
> in turn calls NetUserGetGroups, which in turn returns "Access denied".
> The solution is to drop back to the original process token before
> calling NetUserGetGroups from initgroups.  I've checked in a patch
> which should be available in the next developers snapshot from
> http://cygwin.com/snapshots/
> 
> A solid workaround if you're trying to get the same with the current
> Cygwin:  Add all users which want to log in this way to the gr_mem
> field of the approrpiate groups in /etc/group.  In your example case,
> it would look like this:
> 
> Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:test1


Nice work!  I recommend a new gold star! :-)


-- 
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
216 Dalton Rd.                          (508) 893-9889 - FAX
Holliston, MA 01746

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Spam-Check-By:	sourceware.org
Message-ID:	<44F715E7.6070609@cygwin.com>
Date:	Thu, 31 Aug 2006 13:01:27 -0400
From:	"Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Reply-To:	cygwin AT cygwin DOT com
User-Agent:	Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.5) Gecko/20060727 Fedora/1.5.0.5-1.fc4.remi Thunderbird/1.5.0.5 Mnenhy/0.7.4.0
MIME-Version:	1.0
To:	cygwin AT cygwin DOT com
Subject:	Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)
References:	<44F5FD93 DOT 1020503 AT asperasoft DOT com> <20060831161354 DOT GR20467 AT calimero DOT vinschen DOT de>
In-Reply-To:	<20060831161354.GR20467@calimero.vinschen.de>
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com