Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Mon, 22 Jul 2002 19:23:30 -0700
From: David MacMahon <davidm AT smartsc DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Fwd: Re: cron and NT domains
Message-ID: <20020722192330.A1654@SmartSC.com>
Mail-Followup-To: cygwin AT cygwin DOT com
References: <20020722105336 DOT Y6932 AT cygbert DOT vinschen DOT de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.22.1i

On Mon, Jul 22, 2002 at 10:53:36AM +0200, Corinna Vinschen wrote:
> On Sun, Jul 21, 2002 at 11:30:30AM -0700, David MacMahon wrote:
> >   After reading your reply, I gave the local user the
> > "Create a token object" privilege.  That changed the 1300 error to 1326,
> 
> Don't do this.  It's a dangerous privilege.  Let SYSTEM handle that
> except you really know what you're doing.  E. g.  using a special
> user for that purpose which has specific rights...

I was doing that just for testing purposes.  Since figuring out how to
run strace on sshd under the SYSTEM account, I haven't needed to do
things this way.

> > When running sshd as SYSTEM, I get these errors: 1308, 5, 1326.  Error
> > 5 is "Access Denied".  Here is the relevant excerpt from strace...
> > [...]
> > 521384 17135790 [main] sshd 1968 seterrno_from_win_error: /netrel/src/cygwin-1.3.12-2/winsup/cygwin/security.cc:297 windows error 5
> >   203 17135993 [main] sshd 1968 geterrno_from_win_error: windows error 5 == errno 13
> 
> This looks exactly like the problem I told you.  You probably don't
> have permissions to get the group information of a domain user. See
> the remarks section in
> 
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/ntlmapi2_10xf.asp
> 
> and ask your sysadmin.

So are you saying that IF one is running Win 2K or XP AND using an
active directory server AND the active directory server is configured to
disallow anonymous access, THEN cygwin apps like cron and sshd are
unable to switch user context to a domain user without a password?

If so, shouldn't that be in a README somewhere?  If that's not what
you're saying, how can I fix my setup (short of asking the sysadmins to
change the permissions, which is out of the question)?

> > One interesting thing, however, is that mkpasswd doesn't handle RIDs >
> > 65535 too well...
> 
> Patches gratefully accepted,

Currently, my only access to a Windows box is at my client's site.  I'd
have to convince my client that creating those patches is needed for
their business purposes and that they should let me release said patches
under the GNU license.  The former could be tough to justify, the latter
could be a red tape quagmire.  :-(

Thanks for all your help,
Dave

-- 
David MacMahon, President
Smart Software Consulting
http://www.smartsc.com

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/