X-Recipient: archive-cygwin@delorie.com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:date:message-id:references
	:in-reply-to:content-type:content-transfer-encoding
	:mime-version; q=dns; s=default; b=ABS433z53NP8ZMGqI1DA0gzJHQ9Ja
	DaNiQof9AsbshOPfRENXMeQfun9Uhjl3jhfpPFxYR8TTLkW32k5qhHBsjmAEYo5i
	v9ZsMMwgg+eDgtXKXVa0u5MPkgeGovAfpvh+wX+8Xj60C+dzET+qQLScMEfVnRhO
	cjoIeqxjK7CpCI=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:date:message-id:references
	:in-reply-to:content-type:content-transfer-encoding
	:mime-version; s=default; bh=BcoqGQGkjkfaDH0hvD5D2jc1SHI=; b=Khg
	JUk1Eq8kX25cAddX389snIzrL+GeVb/FiM1hLDswMUVIyqUgFppVhu0McSSyvihv
	ghPuKkRM1fYJawX+6NSXPUYhjXGJnP6kgiezNmHfafqO1VrbedVETMvj+sfYNdF+
	bHqZVka0l9BGbwIPNLzvLZklmEANk9ylNMo4dZJk=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-6.9 required=5.0 tests=BAYES_00,GIT_PATCH_2,MIME_BASE64_BLANKS,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS autolearn=ham version=3.3.1 spammy=passwords, techniques, sk:corinna, HX-Languages-Length:2173
X-HELO: EUR03-AM5-obe.outbound.protection.outlook.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=clarizen.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u1HfpAB2qn4Tnv1y/KJlIXN8cW3TEDak59vUWXnp0SI=; b=T4wrQ9hrLcA4E2bnoh+/iAT/7uVazVunIZEknUFxrdSN0q7FhbHLj41hKmSbontnUvQ34t+dCAHL3vK5XXiahVhuI7N6CKIVsoZwW60kmdg00okxoQkP8K/CAR8DbsTT8Hn8moxSGxEUCA62KUBtFzAgcn00q0seF+CRZDDcdqo=
From: Maayan Apelboim <Maayan.Apelboim@clarizen.com>
To: "cygwin@cygwin.com" <cygwin@cygwin.com>
Subject: RE: can't access remote shares when using ssh with rsa key - passwd -R / set(e)uid / LogonUser is not working as expected
Date: Wed, 13 Mar 2019 08:31:59 +0000
Message-ID: <AM6PR07MB5334039B3C212C637316AF94954A0@AM6PR07MB5334.eurprd07.prod.outlook.com>
References: <20190306122816.GP3785@calimero.vinschen.de>
In-Reply-To: <20190306122816.GP3785@calimero.vinschen.de>
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Maayan.Apelboim@clarizen.com;
x-ms-exchange-purlcount: 1
received-spf: None (protection.outlook.com: clarizen.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id x2D8WJPV016732

Hi,

I appreciate your detailed response, however, stored passwords doesn't work properly.
I've read the article and ran passwd -R as described - no errors generated and I was able to find the relevant registry entry after running the command, but still can't access network shares (access denied).
When I login with password network shares are available.

Is there something else I need to do except 'passwd -R' for getting a proper token?

Thanks

-----Original Message-----
From: Corinna Vinschen [mailto:corinna-cygwin@cygwin.com] 
Sent: Wednesday, March 6, 2019 2:28 PM
To: cygwin@cygwin.com
Subject: Re: can't access remote shares when using ssh with rsa key - passwd -R / set(e)uid / LogonUser is not working as expected

On Mar  6 10:09, Maayan Apelboim wrote:
> Well, it doesn't work OK unfortunately, but I'm not sure if I missed something in the process, or is it just not working properly.
> I'm a bit worried to upgrade to 3.0.2 at the moment cause it's a major version and will probably have new bugs that I wouldn't want to find in production.
> 
> Assuming we will eventually upgrade to latest version - My sshd 
> service is running with domain user cyg_server and we login with domains users via ssh - is it still OK to switch the sshd service's user to local system?
> Will we still be able to login with domain users via ssh?

Yes, that's the idea.  The new method using the official S4U logon technique runs under the SYSTEM account.  No need to have a special cyg_server account with potentially dangerous privileges anymore.

> Will it help with my network shares problem?

No.  Just like the old techniques using an LSA authentication module or creating a user token from scratch, S4U login does not create tokens with valid network credentials.  For some weird reason only Microsoft knows about, you still need a password login for that.

The other method, logging in by stored password, as described in
https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd3 still works, though.


Corinna

--
Corinna Vinschen
Cygwin Maintainer

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple