Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Date: Mon, 29 Oct 2001 07:48:44 -0500
From: Jason Tishler <jason AT tishler DOT net>
To: cygwin AT cygwin DOT com
Subject: Re: chmod/chown + ntsec doesn't work (was OpenSSH and RSA authentication  problems)
Message-ID: <20011029074844.A1948@dothill.com>
Mail-Followup-To: cygwin AT cygwin DOT com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20011026200024.A7622@cygbert.vinschen.de>
User-Agent: Mutt/1.3.18i

Corrina,

On Fri, Oct 26, 2001 at 08:00:24PM +0200, Corinna Vinschen wrote:
> On Thu, Oct 25, 2001 at 02:12:44PM -0400, Jason Tishler wrote:
> > I know that it has been noted that one cannot access network shares from
> > a ssh login due to running under the LocalSystem account.  But, I was
> > surprised by the chown and start/stop service restrictions since I
> > perceived them to be local operations.
> 
> I'm surprised, too.  I don't have a domain environment so I can't
> test that further.  Are you sure that you're not just restricted
> due to either having /etc/passwd or /etc/group not setup correctly

AFAICT, I have set up my passwd/group file correctly.  The procedure
that I use in a domain environment is execute mkpasswd/mkgroup -l and
then append the appropriate entries from mkpasswd/mkgroup -d.

> or actually having restrictions due to domain policy?

I'm not sure what you mean by "domain policy."  Can a Windows domain
policy cause the restrictions being observed?

Nevertheless, I now better understand why chown was not working under
ssh via key exchange:

$ ssh tishlmob2d1m701 id
uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),545(Users),10513(Domain Users),12093(Software Engineering)

Note that Windows does not think that I am in the local Administrators
group.  Hence, I'm not able to chown, net start/stop, etc.

But, if I ssh via password exchange:

$ ssh -1 tishlmob2d1m701 id
jtishler AT tishlmob2d1m701's password: 
uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),544(Administrators),545(Users),10513(Domain Users),12093(Software Engineering)

then Windows does.  Why?  Unfortunately, I don't (currently) know.

Here is another example:

$ ssh raidboston id
uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),545(Users),10513(Domain Users),12093(Software Engineering

$ ssh -1 raidboston id
jtishler AT raidboston's password: 
uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),544(Administrators),545(Users),1001(cvs-change-local),1000(cvsfull-local),10513(Domain Users),12093(Software Engineering)

Note that cvs-change-local and cvsfull-local are local groups.  So,
it appears that when one uses ssh key exchange to a domain machine,
then Windows does not think that the user is a member of any local group
except possibly Everyone.  Is Everyone a local or domain group?

BTW, the local group membership problem also affects cron usage in domain
environments -- to no great surprise.

Jason

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/