Mail Archives: cygwin/2011/05/05/07:58:05
On 6/24/2010 9:24 AM, Robert Jacobson |cygwin/Example Allow| wrote:
> I need some help to get sshd working so that when I login using
> public-key auth to my domain account (which has local administrator
> privileges), it actually has the Adminisitrator privs.
>
> The platform is Windows XP Pro, joined to a domain.
>
> C. Vinschen already kindly pointed me to the FAQ, here:
> http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain
>
> but I think I'm missing something about the setup, or done it wrong.
>
> I created a domain account, we'll call it "cyg_server" for convenience.
>
> I have a GPO that defines the "cyg_server" User Right Assignments so
> that it can "Act as part of the operating system", "Act as part of the
> operating system", and "Replace a process level token". I also placed
> cyg_server in the local Administrators group.
>
> I've confirmed the GPO is applied successfully. The cyg_server account
> appears in the correct areas when I look at "gpedit.msc".
>
> Where I think I'm failing is the setup for ssh-host-config. I tried:
>
> ssh-host-config -u cyg_server -p 'password' --privileged
>
> First, I'm warned that I don't need a privileged account because I'm not
> running W2k3, Vista, etc. (The FAQ specifically says to use a different
> account, so this seems contradictory, yes?)
>
> Also, I get:
> *** Warning: Privileged account 'cyg_server' was specified,
> *** Warning: but it does not have the necessary privileges.
> *** Warning: Continuing, but will probably use a different account.
> *** Warning: The specified account 'cyg_server' does not have the
> *** Warning: required permissions or group memberships. This may
> *** Warning: cause problems if not corrected; continuing...
>
> It installed the service, but the service did not start, due to a login
> failure.
>
> I can login to the account using
> runas /user:domain\cyg_server cmd
> just fine. I'm sure the password I specified was correct.
>
> I opened the Service configuration GUI, and just in case, I pasted the
> password into the proper spot. The GUI responded with (paraphrase)
> "cyg_server" has been granted the "Logon as a service" right.
>
> The service then started successfully. So, did I miss something, or
> does that mean the FAQ should include "Logon as a service" in the needed
> user rights?
>
> In any case, although the service now starts successfully (running under
> the cyg_server account), when I login via SSH (either password OR public
> key), I do NOT have Administrator privileges; i.e. according to the 'id'
> commmand, I'm not in group "544(Administrators)". I'm not even in the
> regular "Users" group!
>
> Obviously I've done something wrong... Help, please!
>
I'm responding to my own post -- from nearly a year ago -- because I
finally learned how to configure sshd so that I get the right
permissions for my administrator account.
The fix was simple -- I just ran "cyglsa-config" and rebooted. I had no
idea "cyglsa" existed until I tried to get cron working the other day
and saw it in a follow-up post.
The "id" command now shows the exact same output in the console terminal
and when I login via SSH.
I propose that you add this to the FAQ at:
http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain
possibly with a note about the necessity of rebooting after cygwin
updates if you use cyglsa.
Is there some reason (other than the reboot-after-cygwin-update
requirement) that "ssh-host-config" doesn't automatically run
cyglsa-config as well? Or at least warn you that you won't get the
right group membership without it?
--
Robert Jacobson
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
- Raw text -