delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2006/10/01/23:47:31

X-Spam-Check-By: sourceware.org
X-Copfilter: Sender is in whitelist, skipped SpamAssassin
X-Filtered-With-Copfilter: Version 0.82.1 (ProxSMTP 1.3.91)
X-Copfilter: Client is part of our network, skipped SpamAssassin
Message-ID: <45208BBE.30807@asperasoft.com>
Date: Sun, 01 Oct 2006 20:47:10 -0700
From: Serban Simu <serban AT asperasoft DOT com>
User-Agent: Thunderbird 1.5.0.7 (Windows/20060909)
Mime-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com 

--=_zob.asperasoft.com-23547-1159756744-0001-2
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 7bit


I got a chance to test the snapshot 2006-09-07. It does behave 
differently, but still doesn't solve the problem. whoami now shows user 
nt authority\system, whereas before the patch it showed sshd_server. 
Both the snapshot and 1.5.21 show the correct SID for the domain user.

I also verified that if I add the user name explicitly to /etc/group for 
each group it belongs to, other than the primary group, whoami reports 
the correct domain user and access to network resources works properly. 
Also, users that don't belong to any groups other than their primary 
group (which seems to be Domain Users by default), don't exhibit this 
problem (this is just a particular case of the previous statement).

Attached is the whoami output for the Windows 2003 computer running 
1.5.21 plus the snapshot. If I can be of any help narrowing this down, 
please let me know.


- Serban


From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
To: cygwin at cygwin dot com
Date: Thu, 31 Aug 2006 18:13:55 +0200
Subject: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami 
sshd_server (password auth)
References: <44F5FD93 DOT 1020503 AT asperasoft DOT com 
<http://cygwin.com/ml/cygwin/2006-08/msg01056.html> 
<http://cygwin.com/ml/cygwin/2006-08/msg01056.html>>
Reply-to: cygwin at cygwin dot com

On Aug 30 14:05, Serban Simu wrote:

    So my questions would be:

    (1) I did find a work around, but what is the explanation of this
    problem and what is a good, solid work around? 


After some debugging I found that the explanation is that sshd drops
all supplementary groups from the otherwise privileged user token. This 
results in a minimized user token when calling initgroups, which
in turn calls NetUserGetGroups, which in turn returns "Access denied".
The solution is to drop back to the original process token before
calling NetUserGetGroups from initgroups. I've checked in a patch
which should be available in the next developers snapshot from
http://cygwin.com/snapshots/

A solid workaround if you're trying to get the same with the current
Cygwin:  Add all users which want to log in this way to the gr_mem
field of the approrpiate groups in /etc/group.  In your example case,
it would look like this:


Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:test1


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

-- 
- Serban Simu
  Aspera Inc., Berkeley CA       http://www.asperasoft.com
  serban AT asperasoft DOT com          (510) 849-2386


--=_zob.asperasoft.com-23547-1159756744-0001-2
Content-Type: text/plain; name="whoami-snap.txt"; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="whoami-snap.txt"

C:\aspera>ssh serban AT 192 DOT 168 DOT 1 DOT 171
serban AT 192 DOT 168 DOT 1 DOT 171's password:
Last login: Fri Sep 29 11:16:35 2006 from olp

serban AT olp-w2003 ~
$ c:/windows/system32/whoami.exe /all

USER INFORMATION
----------------

User Name           SID
=================== ==============================================
nt authority\system S-1-5-21-4293257363-1756470469-1603820055-1107


GROUP INFORMATION
-----------------

Group Name                       Type             SID          Attributes
================================ ================ ============ ==================================================
Everyone                         Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
LOCAL                            Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE         Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                    Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name          Description              State
======================= ======================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled


--=_zob.asperasoft.com-23547-1159756744-0001-2
Content-Type: text/plain; charset=us-ascii

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/
--=_zob.asperasoft.com-23547-1159756744-0001-2--

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019