Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sourceware DOT cygnus DOT com>
List-Archive: <http://sourceware.cygnus.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sourceware DOT cygnus DOT com>
List-Help: <mailto:cygwin-help AT sourceware DOT cygnus DOT com>, <http://sourceware.cygnus.com/ml/#faqs>
Sender: cygwin-owner AT sourceware DOT cygnus DOT com
Delivered-To: mailing list cygwin AT sourceware DOT cygnus DOT com
Message-ID: <1DB8BA4BAC88D3118B2300508B5A552CD925BD@mail.fitlinxx.com>
From: David Bolen <db3l AT fitlinxx DOT com>
To: cygwin AT sourceware DOT cygnus DOT com
Cc: "'Mike Melendez'" <melendez AT orca DOT com>
Subject: RE: [melendez AT orca DOT com: Cygwin bash mount over Ataman telnetd is 
	inaccessible.]
Date: Mon, 12 Jun 2000 12:31:26 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
	charset="iso-8859-1"

It's possible that this is a generic NT security problem that can show up
with services trying to do network access, depending on how the telnet
services logs a user into the system (I've never used Ataman myself).  It
would be helpful to know if access to the share was a problem from a
non-bash/cygwin environment.  It's also not mentioned, but I'm assuming that
the server on which the share is being accessed is also NT.

What may be happening is that the telnetd service is running under the
LocalSystem account, which means that it has no credentials for network
access (or to be more precise it has a Null set of credentials).  By default
that will mean it has no network access to remote machines, which are set up
by default (as of NT 4.0) to reject Null session credential clients, with
only a few exceptions.

I would normally expect that the Ataman service is requesting an interactive
login token for a user for authentication and then creating a process as
that user, which I would think would create the necessary network
credentials, but it also wouldn't surprise me to find out that it didn't :-)

One quick test would be to run the Ataman service as some specific user (it
can be set up that way in the services control panel).  The user selected
would probably need to be a full administrator (to ensure it can execute any
functions the telnet server may try when setting up a remote login).

The other approach is to try opening up (in general, or specifically) access
to the share in question on the server side for Null session clients (which
includes LocalSystem services):

You can either:

(a) Open up access in general for such clients, by installing beneath
    the registry key:
        HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
    the DWORD value:
        RestrictNullSessAccess = 0

    (The value is normally not present at all, but defaults internally to 1)

(b) Add either the existing share that the client is accessing (or perhaps
    dedicate a new limited share just for the client) and add that share
    to the value of NullSessionShares on the server (same key location).  It
    should already be present with a few entries.  Add your share as a new
    entry (if you use regedt32 it'll handle the REG_MULTI_SZ type nicely).

You'll have to restart the server (or at least the LanmanServer service) for
changes to take effect.

Neither of these are necessarily that attractive as a long term operating
solution, but may at least be useful in the test environment.

-- David

/-----------------------------------------------------------------------\
 \               David Bolen            \   E-mail: db3l AT fitlinxx DOT com  /
  |             FitLinxx, Inc.            \  Phone: (203) 708-5192    |
 /  860 Canal Street, Stamford, CT  06902   \  Fax: (203) 316-5150     \
\-----------------------------------------------------------------------/

-----Original Message-----
From: Chris Faylor [mailto:cgf AT cygnus DOT com]
Sent: Monday, June 12, 2000 11:36 AM
To: cygwin AT sourceware DOT cygnus DOT com
Subject: [melendez AT orca DOT com: Cygwin bash mount over Ataman telnetd is
inaccessible.]


Can anyone offer any help to this guy?

cgf

----- Forwarded message from Mike Melendez <melendez AT orca DOT com> -----

From: Mike Melendez <melendez AT orca DOT com>
To: support AT ataman DOT com, cygwin-support AT cygnus DOT com
Subject: Cygwin bash mount over Ataman telnetd is inaccessible.
Date: Mon, 12 Jun 2000 11:11:19 -0400

I am attempting to use the same Expect script to automate internal tests
from 
a BSDI system to Solaris, Linux, and Windows NT.  For NT I am using:
     Windows NT 4.0 (Build 1381: Service Pack 5)
     Cygwin 1.0 bash shell
     Ataman TCP Remote Logon Services 2.4 simple telnet

In a bash shell on the desktop and through the Ataman telnetd as the same
user 
I can successfully
     $ mount \\\\<server>\\<directory> <mount-directory> or
     $ mount Z: <mount-directory>

However, only on the desktop can I access the remote directory through the 
mount directory.  Through the Ataman telnetd, attempts to cd
<mount-directory> 
return: "bash.exe: cd <mount-directory> : Permission denied"

I have tried this with system mounts (mount -s) as well as local mounts and 
both with and without a desktop user simultaneously logged in -- all with
the 
same result.


-- 
Robert Michael Melendez          melendez AT orca DOT com
Orca Systems, Inc                781-895-4949 x227


----- End forwarded message -----

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com