delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2008/08/12/15:27:08

X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Message-Id: <200808121926.m7CJQ1Er026029@tigris.pounder.sol.net>
From: cygzw AT trodman DOT com (Tom Rodman)
To: cygwin AT cygwin DOT com
Subject: Re: /etc/group manual-edits-workaround still reqd in 1.7?
In-reply-to: <20080728081831.GF29031@calimero.vinschen.de>
References: <200807261412 DOT m6QECLcA001404 AT tigris DOT pounder DOT sol DOT net> <20080728081831 DOT GF29031 AT calimero DOT vinschen DOT de>
Date: Tue, 12 Aug 2008 14:26:00 -0500
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Mon 7/28/08 10:18 +0200 Corinna Vinschen wrote:
> On Jul 26 09:12, Tom Rodman wrote:
> > I use cygwin in a large domain, from time to time my account is
> > added or removed from domain groups without any warning (last
> > time 'IT' added 'Domain Users' to some other domain group - so all
> > domain users were impacted!).  When this happens my credentials in
> > a password-authenticated ssh session, get clobbered & I have
> > to manually edit /etc/group, per:
> > 
> >   http://cygwin.com/ml/cygwin/2005-07/msg01287.html
> > 
> > Does this issue "go away" under cygwin 1.7?
> 
> I don't know but it's supposed to be better.  I relaxed the rules which
> result in a token created through password login being overridden with a
> self-created token.  

Thanks Corinna/appreciate your help.  

When that self-created token is created (under 1.5.x) is that
the point that cygwin looks for the user's group memberships
as defined in /etc/group?

> You will still have to create a new /etc/group, though.

Creating it daily (w/cron) is no problem, but, I'm still not
clear.. in 1.7 do we still have to (in addition) update /etc/group
so that domain users (that actually use ssh) have their comma
delimited usernames in the last field on the respective lines in
/etc/group, for all the domain groups they belong to?

I suppose .. to be fair- if cygwin needs to list all the domain
groups I'm in, then it should be able to determine this "in the
UNIX way", by looking at /etc/group.  The problem is that our
accts get added to groups by our IT dept w/o any advance warning.

some observations:

  In cygwin 1.5.x when domain user 'johndoe' starts a password
  authenticated ssh session on a host where the /etc/group file is
  complete ( ie has *all* the local and domain groups), but does
  NOT have the edits in place (where user 'johndoe' listed in
  all the domain groups within /etc/group that he belongs too), then this
  session will be "untrusted by network shares", even shares with read
  access to EVERYONE.  Within this type of deprecated session (on
  windows 2003 server), I've noticed:

     LOGNAME is set to     'sshd_server'
    USERNAME is set to     'sshd_server'
     output of 'id -un' is 'johndoe'

    "mkpasswd -d -u johndoe" fails w/:
      mkpasswd (272): [1326] Logon failure: unknown user name or bad password

    you get a 'Permission denied' error even when your just trying to read a
    share that has an "everyone READ" ace on the share and the directory

--
thanks/regards,
Tom

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019