X-Recipient: archive-cygwin@delorie.com
X-Spam-Check-By: sourceware.org
Date: Fri, 3 Aug 2012 09:48:58 +0200
From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin@cygwin.com
Subject: Re: Seteuid "operation not permitted" error when using LSA for sshd
Message-ID: <20120803074858.GA27106@calimero.vinschen.de>
Reply-To: cygwin@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
References: <CAKXb5pJZX7kaz12C1E-GEk7ws7oc2xAxQmr8EaND3KZ3_GzCmg@mail.gmail.com> <CAKXb5pJjCBvbj1ZfU8WiEohz2QqW+edUi1Dz6anhELTk2wuZ_g@mail.gmail.com> <CAKXb5p+ETsym1MtM3Ev964XN3aTLNMabSfPkSj0KEHE53GGZeg@mail.gmail.com> <20120529125057.GD12040@calimero.vinschen.de> <loom.20120801T202919-35@post.gmane.org> <20120802091119.GA12772@calimero.vinschen.de> <loom.20120802T203152-34@post.gmane.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <loom.20120802T203152-34@post.gmane.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie.com@cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com

On Aug  2 18:39, David Koppenhofer wrote:
> > Why did you install cyglsa64 from the old snapshot?  The changes to
> > cyglsa are supposed to be in the Cygwin 1.7.16 package anyway.
> 
> Because I was grasping for straws, and didn't know the fix was in the current
> package.
> 
> 
> > > I rebooted the server, made sure the sshd service was running, but I still
> > > receive the "sshd: PID 3064: fatal: seteuid 1000: Operation not permitted"
> error.
> > 
> > Does the service account have TCB privileges?  That's a hard requirement
> > for the user switch.
> 
> Ah ha!  The service account does not have the "Act as part of the operating
> system" permission.
> 
> However, I ended up asking the network admin to give "Create a token object" to
> the service account.  Since key authentication started working after that, I'll
> just leave things as they are.

If the restrictions of this mode, especially in terms of network shares,
are no problem for you, that's fine.  Otherwise I'd like to point out
http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple