Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <01cd01c3293e$6f435260$4d1f1cac@THEODOLITE>
From: "Bruce Dobrin" <dobrin AT imageworks DOT com>
To: "Banville, Stephen" <Stephen DOT Banville AT sycamorenet DOT com>,
   <cygwin AT cygwin DOT com>
References: <1037EB10994D094790FC003F87DCC0BCE9ABB1 AT pine>
Subject: Re: NTsec permissions issue over inet
Date: Mon, 2 Jun 2003 12:37:42 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

hmmm,  still experimenting:  thought it might have something to do with
inetd and mounts,  but I also tried rlogin to <localhost>  which is running
init and xinetd and issueing a dfscmd:

dobrin AT THEODOLITE:/home/dobrin> dfscmd /view \\\\dfsmaster\\dfsshare
\\DFSMASTER\dfsroot
\\DFSMASTER\dfsroot\shots\vol780
\\DFSMASTER\dfsroot\pipe\usr_pasquini\trash
The command completed successfully.
dobrin AT THEODOLITE:/home/dobrin> rsh localhost
Last login: Mon Jun  2 12:30:41 from THEODOLITE.spimageworks.com
Fanfare!!!
You are successfully logged in to this server!!!
dobrin AT THEODOLITE:/home/dobrin> dfscmd /view \\\\dfsmaster\\dfsshare
System error 5 has occurred.

Access is denied.

::::   still confused...


----- Original Message ----- 
From: "Banville, Stephen" <Stephen DOT Banville AT sycamorenet DOT com>
To: <cygwin AT cygwin DOT com>; "Stephen Banville" <sbanville AT attbi DOT com>
Cc: "'Bruce Dobrin'" <dobrin AT imageworks DOT com>; "Banville, Stephen"
<Stephen DOT Banville AT sycamorenet DOT com>
Sent: Monday, June 02, 2003 5:32 AM
Subject: RE: NTsec permissions issue over inet


> Igor,
> I tried settting smbntsec and it did not work. With older version I
> used to
> just set ntsec, make the passwd and group files, and everything would just
> work
> the way I would expect. Something has changed in the way cygwin handles NT
> security.
> I am running a generic version of windows 2000 with no thrid party filesys
> drivers.
> I don't believe that it's aproblem with my configuration because older
> version of
> Cygwin have worked just fine. As of now all suggestions have not been
> successful.
> It sounds like a new bug has been introduced surrounding NT security.
>
> Steve
>
> -----Original Message-----
> From: Igor Pechtchanski [mailto:pechtcha AT cs DOT nyu DOT edu]
> Sent: Sunday, June 01, 2003 7:30 PM
> To: Stephen Banville
> Cc: 'Bruce Dobrin'; cygwin AT cygwin DOT com; stephen DOT banville AT sycamorenet DOT com
> Subject: RE: NTsec permissions issue over inet
>
>
> Steve,
>
> On Windows, if you use the Windows sharing mechanism (instead of a
> proprietary filesystem driver), your shares are SMB shares (which stands
> for Server Message Block, IIRC).  The 'smbntsec' option is designed for
> those kinds of shares.  If you do have a proprietary filesystem driver,
> Cygwin most likely doesn't have any support for recognizing the security
> attributes on that.  <http://cygwin.com/acronyms/#PTC>.  It's also
> possible that the filesystem driver that you have is partly compatible
> with the NTFS or SMB security, and some addition to the Cygwin codebase
> to deal better with one or the other has accesses to features that aren't
> available on your filesystem, so it stopped working.
>
>
>
> Your login problem has nothing to do with the above.  Unlike Linux, where
> anyone can run "su" or "login", Windows NT variants require the user to
> have extra privileges to be able to switch user context (create an access
> token belonging to someone else).
> <http://cygwin.com/cygwin-ug-net/ntsec.html#NTSEC-SETUID> should explain
> this somewhat.
> Igor
>
> On Sun, 1 Jun 2003, Stephen Banville wrote:
>
> > HI Bruce,
> >
> >         The reason I don't have smbntsec set is because the remote
> > volumes are not Samba Shares. The interesting thing here is that when I
> > ran an older version of Cygwin, this functionality would work just fine.
> > I also tried the passwd trick (which didn't work as well.) I can't
> > imagine what the problem could be ? At this time I am running out of
> > ideas. My only hope at this time would be to enable some sort of a debug
> > trace to see what component is actually failing during the login.
> > Another interesting point to mention is that when I run the 'login'
> > command within the shell, I cannot log in under my user name defined in
> > the /etc/passwd file. Any ideas why this would ? This could somehow be
> > related to my problem.
> >
> > Any help would be welcomed!!
> >
> > Steve
> >
> > -----Original Message-----
> > From: cygwin-owner AT cygwin DOT com [mailto:cygwin-owner AT cygwin DOT com] On Behalf
> > Of Bruce Dobrin
> > Sent: Friday, May 30, 2003 8:20 PM
> > To: cygwin AT cygwin DOT com
> > Subject: Re: NTsec permissions issue over inet
> >
> > OK,  further testing,  I can't get the below rlogin "trick" to work on a
> > 1.3.22 machine,  the one it worked on is actually a 1.3.12 machine.  so,
> > with 1.3.12 I can get it to work by forcing a password entry,  but this
> > appears not to work with a 1.3.22 machine........
> > continuing more confused than ever...
> >
> > ----- Original Message -----
> > From: "Bruce Dobrin" <dobrin AT imageworks DOT com>
> > To: <cygwin AT cygwin DOT com>
> > Sent: Friday, May 30, 2003 4:46 PM
> > Subject: Re: NTsec permissions issue over inet
> >
> >
> > > Sorry,  On re-reading that,  it's not as clear as it could be,  the
> > example
> > > used in the previous e-mail ( below) was on a later version of cygwin,
> > it
> > > is not the 1.3.2  machine referred to earlier in the message.
> > >
> > > ----- Original Message -----
> > > From: "Bruce Dobrin" <dobrin AT imageworks DOT com>
> > > To: <cygwin AT cygwin DOT com>
> > > Cc: <cygwin AT cygwin DOT com>
> > > Sent: Friday, May 30, 2003 4:37 PM
> > > Subject: Re: NTsec permissions issue over inet
> > >
> > >
> > > > Thanks for responding Larry,
> > > >
> > > > I actually had tried most permutations of (no)ntsec, (no)smbntsec,
> > > (no)ntea,
> > > > etc... and on other machines that didn't have weird path or passwd
> > > > entries. -- no dice
> > > >
> > > > I think I may have a good hint as to what is going on,  but I'll
> > need
> > > > someone who knows the system better than I to figure out the
> > solution.
> > > >
> > > > By the way I have around 300 machines here,  and I found one which
> > is
> > > > running cygwin1.3.2 and which works fine.  This leads me to think
> > that
> > it
> > > is
> > > > something to do with the hosts.equiv functionality which I believe
> > was
> > non
> > > > functional before at 1.3.2 ( at least I didn't use it here).  I
> > found
> > > > machine that if I : forced the user to use a password and I set some
> > > > permutations of the permissions...  it then works:  example:
> > > >
> > > > dobrin AT THEODOLITE:/home/dobrin> rsh gable3
> > > > Fanfare!!!
> > > > ..........
> > > > dobrin AT GABLE3:/home/dobrin> echo $CYGWIN
> > > > ntea nontsec smbntsec
> > > > dobrin AT GABLE3:/home/dobrin> cd //matilda/dist
> > > > //matilda/dist: Permission denied.
> > > >
> > > > BUT,  If I force a passwd entry:
> > > >
> > > > dobrin AT THEODOLITE:/home/dobrin> rsh gable3 -l poo
> > > > Password:
> > > > Login incorrect
> > > > login: dobrin
> > > > Password:
> > > > Fanfare!!!
> > > > ...........
> > > > dobrin AT GABLE3:/home/dobrin> echo $CYGWIN
> > > > ntea nontsec smbntsec
> > > > dobrin AT GABLE3:/home/dobrin> cd //matilda/dist
> > > > dobrin AT GABLE3:/matilda/dist>
> > > >
> > > >
> > > > Unfortunately I don't really think of this as a good solution ,  and
> > it
> > > > doesn't appear to work with my default $CYGWIN setup.
> > > > Does this help at all?
> > > > Thanks,
> > > > Bruce
> > > >
> > > > ----- Original Message -----
> > > > From: "Larry Hall" <cygwin AT cygwin DOT com>
> > > > To: "Bruce Dobrin" <dobrin AT imageworks DOT com>
> > > > Cc: <cygwin AT cygwin DOT com>
> > > > Sent: Thursday, May 29, 2003 7:14 PM
> > > > Subject: Re: NTsec permissions issue over inet
> > > >
> > > >
> > > > > Bruce Dobrin wrote:
> > > > > > Here are the Cygcheck,  and Group files,  I'll include the my
> > > (typical)
> > > > > > passwd entry as we have a ( legitimate) policy against
> > publishing
> > our
> > > > login
> > > > > > id's ( I know it doesn't include encrypted passwd's, but with
> > 650
> > > > entries,
> > > > > > but I'd like to reduce the fodder for someone's foreach loop
> > thru a
> > > > cracking
> > > > > > program).
> > > > > >
> > > > > >
> > > > > > representative passwd entries:
> > > > > >
> > > > > > SYSTEM:*:18:544:,S-1-5-18::
> > > > > > Administrators:*:544:544:,S-1-5-32-544::
> > > > > >
> > > >
> > >
> > dobrin:unused_by_nt/2000/xp:11014:10512:Brucester,U-PRODUCTION\dobrin,S-
> > 1-5-
> > > > > > 21-501104424-1911818820-14498641-1014:/home/dobrin:/bin/bash
> > > > > >
> > > > > >
> > > > > > Thanks
> > > > > > Bruce Dobrin
> > > > >
> > > > >
> > > > > Partial passwd entries is fine.  What you provided is adequate.
> > > > >
> > > > > The basics look OK.  I find two things in common between your
> > > information
> > > > > and Steve's:
> > > > >
> > > > >    1. You both appear to have a strange entry in your path.  I'm
> > not
> > > > >       sure if it's some weird artifact of cygcheck or if it's
> > actually
> > > > >       in the path.  In yours, you have a directory that looks like
> > this:
> > > > >
> > > > >       "c
> > > > >       C:\cygwin\program_files\diskaccess\bin"
> > > > >
> > > > >       Steve's is just "c".
> > > > >
> > > > >    2. You both have a carriage return as the last character in
> > either
> > > > >       your passwd or group files.
> > > > >
> > > > > Neither of these are clearly related to this issue but should be
> > > > > investigated and cleaned up.  Also, neither of you set 'smbntsec'
> > > > > in your CYGWIN environment variable (before starting Cygwin or any
> > of
> > > > > it's services).  Please do, just so we can rule this out as an
> > issue.
> > > > > Also, since you both claim that this used to work, please try
> > removing
> > > > > 'ntsec' and 'smbntsec' and/or adding 'nontsec' to your CYGWIN
> > > environment
> > > > > variable (before starting Cygwin or any of it's services).  This
> > should
> > > > > help pinpoint whether turning 'ntsec' on by default in recent
> > releases
> > > > > has any bearing.
>
> -- 
> http://cs.nyu.edu/~pechtcha/
>       |\      _,,,---,,_ pechtcha AT cs DOT nyu DOT edu
> ZZZzz /,`.-'`'    -.  ;-;;,_ igor AT watson DOT ibm DOT com
>      |,4-  ) )-,_. ,\ (  `'-' Igor Pechtchanski
>     '---''(_/--'  `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!
>
> "I have since come to realize that being between your mentor and his route
> to the bathroom is a major career booster."  -- Patrick Naughton
>
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
>


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/