delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2009/06/24/05:25:24

X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Wed, 24 Jun 2009 11:24:56 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: [1.7] sshd dc problem
Message-ID: <20090624092456.GD7289@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <6910a60906220848l6470a9cl44094f8bd93555ea AT mail DOT gmail DOT com> <20090623100826 DOT GG5039 AT calimero DOT vinschen DOT de> <6910a60906240145i5a95cba9s948b181158a960e9 AT mail DOT gmail DOT com>
MIME-Version: 1.0
In-Reply-To: <6910a60906240145i5a95cba9s948b181158a960e9@mail.gmail.com>
User-Agent: Mutt/1.5.19 (2009-02-20)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Jun 24 10:45, Reini Urban wrote:
> 2009/6/23 Corinna Vinschen:
> > On Jun 22 17:48, Reini Urban wrote:
> >> I should be able to login with pubkey to my box with sshd when windows
> >> lets me in also.
> >
> > That's easier said than done.
> >
> > Apparently your laptop is configured to allow using cached credentials
> > which are used by the machine if it can't connect to a DC.  The token
> > information (groups/privileges) is also cached somewhere in a
> > non-documented storage.  Whatever Windows is using, it's not accessible
> > for Cygwin.  At least I don't know how to do it.
> 
> Is it possible to detect that one is logged in with a cached
> credential at least?

I don't know.  I don't think so.  And even then there's the problem that
more than one user session can be active, so you would have to find the
right one first.

Hmm.

Come to think of it, what Cygwin could try starting with Windows XP
is to use Terminal Service functions to see if the user is already
logged in, and if so, use that user's token for the setuid call.
I never tried that before, so I don't know if that works as desired.
Anyway, that's something to try for a later version of Cygwin.

> Then the failing initgroups DcGetDcName(PDC_REQUIRED) can be made non-fatal.
> Or maybe there's a PDC_OPTIONAL

I'm not requiring the PDC, at least post-NT4.  The function calls
DsGetDcNameW asking for any DC.  If that fails, it just tries it again
with the DS_FORCE_REDISCOVERY flag.

> > So, for the time being, the workaround to get a user token is thus:
> >
> > 1. I'll patch Cygwin to ignore the fact that the group information
> >   couldn't be fetched from the server.
> 
> Great!
> 
> > 2. Either you're happy with a restricted token,
> 
> Restricted token is okay for me.

It's *very* restricted.  It only contains the barest groups, plus
"Users" and your primary domain group as set in /etc/passwd.  If you
need more supplementary groups, you have to add yourself to the
respective /etc/group entries.

> 
> >  or you use the new logon
> >   method 3 as described in
> >   http://cygwin.com/1.7/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
> >   This results in getting a token right from Windows based on the
> >   cached credentials.
> 
> I'll try password auth then, thanks

Using password auth doesn't solve the initgroups problem, unfortunately.
You'll still need the aforementioned patch to Cygwin.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019