X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=Sn0IAYvqGqcngySvJs7BeheBEC6n5e6m0esY4zU428tiNCrDGM2T8 pyPmzJkANVIDWPYzt4Vo78I0YcHCg5RE3jutLr53TJ6LVS8Yu1ul8aUDkIz50/zr TB0pvKcXEKgvM07WlQ4B2SxXasHkbmOhhUNnb0TeLdC+PjxuPcWyLw= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=Ach5tDasvAiLRlMlouxQf8mrbhY=; b=ua9Y7rluknYkC0JwvbWMbkITw1tk jP1vx5gMPm527W/FYTrQ0M+3uvZzK0gYSkhuNjzd2gOn/boD/Tw+UARAH1bd3Jj9 TKdwOQXoQWUsuilzBVOYjTyBXIiQoNKRiqo8WThTyPyMdQ4Q7FwgTK8QlCukml8B 4ebZbASehJpnzVI= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-102.1 required=5.0 tests=AWL,BAYES_00,GOOD_FROM_CORINNA_CYGWIN,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 spammy=password, H*F:D*cygwin.com, passwords, services X-HELO: mout.kundenserver.de Date: Wed, 13 Mar 2019 10:04:18 +0100 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: can't access remote shares when using ssh with rsa key - passwd -R / set(e)uid / LogonUser is not working as expected Message-ID: <20190313090418.GT3785@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <20190306122816.GP3785@calimero.vinschen.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ZATCr4BkWovzAAkA" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.3 (2019-02-01) --ZATCr4BkWovzAAkA Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Please, don't top-post. On Mar 13 08:31, Maayan Apelboim wrote: >> From: Corinna Vinschen >> Sent: Wednesday, March 6, 2019 2:28 PM >> To: cygwin@cygwin.com >> Subject: Re: can't access remote shares when using ssh with rsa key - pa= sswd -R / set(e)uid / LogonUser is not working as expected >>=20 >> On Mar 6 10:09, Maayan Apelboim wrote: >> > Well, it doesn't work OK unfortunately, but I'm not sure if I missed s= omething in the process, or is it just not working properly. >> > I'm a bit worried to upgrade to 3.0.2 at the moment cause it's a major= version and will probably have new bugs that I wouldn't want to find in pr= oduction. >> >=20 >> > Assuming we will eventually upgrade to latest version - My sshd=20 >> > service is running with domain user cyg_server and we login with domai= ns users via ssh - is it still OK to switch the sshd service's user to loca= l system? >> > Will we still be able to login with domain users via ssh? >>=20 >> Yes, that's the idea. The new method using the official S4U logon techn= ique runs under the SYSTEM account. No need to have a special cyg_server a= ccount with potentially dangerous privileges anymore. >>=20 >> > Will it help with my network shares problem? >>=20 >> No. Just like the old techniques using an LSA authentication module or = creating a user token from scratch, S4U login does not create tokens with v= alid network credentials. For some weird reason only Microsoft knows about= , you still need a password login for that. >>=20 >> The other method, logging in by stored password, as described in >> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd3 still works,= though. >> > Hi, >=20 > I appreciate your detailed response, however, stored passwords doesn't wo= rk properly. > I've read the article and ran passwd -R as described - no errors generate= d and I was able to find the relevant registry entry after running the comm= and, but still can't access network shares (access denied). > When I login with password network shares are available. When you login with stored password, Cygwin performs the same LogonUser call as if you login with password, so the same user token is generated. Off the top of my head I don't know why it shouldn't work for you. You sure you have the correct password stored? When you login and call `id', what does it print? Does it contain the "interactive" group or the "network" group? If the latter, then the internal LogonUser call performed with stored password failed for some reason. Corinna --=20 Corinna Vinschen Cygwin Maintainer --ZATCr4BkWovzAAkA Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlyIx5EACgkQ9TYGna5E T6Cfnw//RpXGnxc4ezUwI1msDR2bsbGcI8oJxMscQKqueXwdW/np0+cn+/JpU5h8 +/3K44nk4TCyBd9LHKPRdE+Qu5AB5C7m4MyU6dyMrqwefwLeevqIlop7OXHEr1JN ArvDcPRzfEWmFrMlvsVm2qy4Gn81NLmcDazK/OE6ztFcXxLwezZNAN6yoLdx1QCp TAhNbUGj5HIInB4ACWLBJYaIjLFOveWnfJU/NLBtHFnPZcgidQpacHsZ4VhbEhs8 /O52D0itKvg8EtXOg5STeS6yQeeAAlh9jOeyVhwPjsARhxsbiKedaIo8SdhG52Xk K7vD5/susZCgq79prpnMXZ5rZ2v7oP62BKjQXsWiOuBXeBUDUAfJRxH1VH9NEJBp GmLsiYZIMTPOrLQK6cK5zPDw0bBu2HJTrLLD37aJBNdU3o/UqrKKXr0ktj7X8tHH VJNEdee5UuQbcRp2kwdtEYw6VCkXko+r0M9ZeHYkfultpjLVMCY6ADbxIlDx/sbQ nJsZL2TngR7FhScBQFwjWvkhcq4Ddf/AYf3uur8psZbdPn9QlzRHHiz29akYyMjb noexHiuaBEfl1yx79FHvRhMts9bLEBoP/Zi1XSEID61CH5hRtX7gDwyydi3iIZrA EZLa5GyyP48GbFO9xvpiRuBc3wZm3boMIxrr69ur0OKsSLWvUuw= =M3Ov -----END PGP SIGNATURE----- --ZATCr4BkWovzAAkA--