X-Spam-Check-By:	sourceware.org
To:	cygwin AT cygwin DOT com
From:	Andrew DeFaria <Andrew AT DeFaria DOT com>
Subject:	Shared home dir, samba workgroups and ssh
Date:	Sat, 14 Oct 2006 08:52:53 -0500
Lines:	98
Message-ID:	<egqq3m$o4u$1@sea.gmane.org>
Mime-Version:	1.0
User-Agent:	Thunderbird 1.5.0.7 (Windows/20060909)
X-IsSubscribed:	yes
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com

  Here's the story. I use Cygwin on my XP desktop. I like having a home 
directory on Windows that is the same home directory on Unix/Linux 
machines. Often companies offer access to your Unix/Linux home directory 
via Samba. Also, often companies do not bother to set up a Samba server 
wish participates in a domain, so the Samba server is configured as 
being in a workgroup.

Now for a long time I struggled with this. I would map //<samba 
server>/<home share> -> my H drive then mount the H drive as /home and 
make sure my Cygwin /etc/password referred to my home directory of 
/home/$USER. All is great.

But when dealing with Samba servers who are configured into workgroups 
innocuous activities in Cygwin would elicit permission denied messages. 
For example, touching a file in the home directory and indeed even 
vi'ing a file, etc. Creating a file within Windows Explorer or using 
other Windows oriented tools would work just fine. Files created on the 
Unix/Linux side would also work fine but when looked at from Cygwin on 
the PC would have odd (read "nobody") ownerships and permissions.

Of course as Cygwin is often not supported by the typical company's IT 
department and because many people do not attempt to utilize Cygwin 
fully often requests for assistance and change fell on deaf ears...

Eventually I figured out that my Windows SID in /etc/passwd is the SID 
of my domain user and since the Samba server was not in the domain my 
SID does not authenticate properly. Then I had a break through in that I 
realized that I was using SMBNTSEC as well as NTSEC in my Cygwin 
environment. I figured "Yeah I want to use the same Windows security for 
SMB mounted drives too". This is where my problem lies and it's because 
the Samba server configured by the client does not participate in the 
Windows domain from which I've logged in.

Now I'm pretty sure that Samba could be configured properly into a 
Windows domain as Samba can be configured as a PDC or a BDC, but many 
clients don't bother to go that far. So why is Windows able to deal with 
this but not Cygwin?

I believe that this is because within Samba a very basic approach is 
kept towards storing of user identification information. Indeed basic 
Samba just has an smbpasswd file which is much like your typical 
Unix/Linux /etc/passwd file and it is not designed to carry extra 
information about users and machine accounts as well as multiple groups 
and trust associations, etc. Even Samba documents talks about hooking 
Samba up to either LDAP or what they call a Trivial DataBase (TDB) in 
order to store such additional Windows only information.

So I thought the simple solution was to remove SMBNTSEC from my Cygwin 
environment and all would be fine. And indeed it is! Well almost...

Along comes ssh... So I like to use ssh to log into various Unix/Linux 
systems as I work. And again I share my home directory between Windows 
and Unix/Linux. Finally I like setting up passwordless public key ssh 
login as I'm not one of those who likes having to type in his password 
hundreds of times a day. But ssh's is picky about permissions of your 
~/.ssh and ~/.ssh/id_<type> key files. When ssh'ing from Cygwin to a 
Unix/Linux box I am now receiving the following:

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    Permissions 0644 for '/home/x0062320/.ssh/id_rsa' are too open.
    It is recommended that your private key files are NOT accessible by
    others.
    This private key will be ignored.
    bad permissions: ignore key: /home/x0062320/.ssh/id_rsa
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    Permissions 0644 for '/home/x0062320/.ssh/id_dsa' are too open.
    It is recommended that your private key files are NOT accessible by
    others.
    This private key will be ignored.
    bad permissions: ignore key: /home/x0062320/.ssh/id_dsa
    x0062320 AT stashu's password:

And, of course, I need to type in my password again! What I believe is 
happening is that because my home directory is SMB mounted and SMBNTSEC 
is off then Cygwin reports that files like ~/.ssh/id_rsa are 0644 even 
if I change them on Unix/Linux to 0600. So, for example:

    <unix box>$ ls -l ~/.ssh/id_rsa
    -rw-------  1 x0062320 generic 887 Aug 31 16:43
    /home/x0062320/.ssh/id_rsa

While:

    <cygwin>$ ls -l ~/.ssh/id_rsa
    -rw-r--r-- 1 x0062320 Domain Users 887 Aug 31 16:43
    /home/x0062320/.ssh/id_rsa

Is there any way to work around this problem (short of reconfiguring the 
Samba server)?

-- 

Andrew DeFaria <http://defaria.com>
Friends help you move. Real friends help you move bodies.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -