Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com X-Authentication-Warning: slinky.cs.nyu.edu: pechtcha owned process doing -bs Date: Fri, 11 Jul 2003 19:55:20 -0400 (EDT) From: Igor Pechtchanski Reply-To: cygwin AT cygwin DOT com To: msg cc: cygwin AT cygwin DOT com Subject: Re: cygwin_logon_user() not working In-Reply-To: <3F0F48E8.48C8D9C9@cybertheque.org> Message-ID: Importance: Normal MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Fri, 11 Jul 2003, msg wrote: > Corinna, thanks much for your reply; please bear with me here > (in case I'm missing something): > > > On Fri, Jul 11, 2003 at 11:56:09AM -0500, msg wrote: > > > be owned by the new uid. The code fails on the call to > > > cygwin_logon_user() which returns -1 (invalid HANDLE). The output > > > of 'strace' on this program shows cygwin_logon_user() extracting > > > the /etc/passwd information followed by a 'windows error 1314' which > > > is 'unknown' and converted to error 13. > > > > But you did look what error 1314 means, right? > > Indeed: > 1314 0x0522 A required privilege is not held by the client. > > > > We've tried running the program from a bash shell logged-in as > > > user 'root' and again logged-in as user 'Administrator' with no > > > difference (Windows logins, not cygwin 'login' logins). > > > > So it runs as expected. Admin accounts don't have the right to call > > LogonUser up to W2K. This would only work on XP and 2003. > > Are you saying it won't work regardless of the privilege settings > on Win2k (I presume you mean it won't work unless the needed > privileges are granted)? It won't work with *default* privileges. > > You have to add the SeTcpPrivilege to the user who should call > > LogonUser. See > > http://cygwin.com/cygwin-ug-net/ntsec.html#NTSEC-SETUID for the needed > > user privileges (up to W2K). > > Yes, I carefully studied both the pdf users' guide and the online > version prior to posting and insured that all of the mentioned > privileges were granted to user 'root' and to user 'Administrator' > including SeTcpPrivilege (Act as part of the operating system). > These were all in place during testing. Your best bet to find the minimal necessary set of rights would be to start by replicating the rights of the SYSTEM account for "root" and then removing these rights one by one until things stop working. > We don't have any native Win2k/NT debugging or development tools; > what can we do to troubleshoot this? > > Michael Grigoni Well, you could go to Control Panels->Administrative Tools->Local Security Policy (or run "%SystemRoot%\system32\secpol.msc /s"), then go to Local Policy->User Rights Assignment, and see whether the necessary rights are assigned to the "root" user. You could use a screenshot of the maximized window at that point to show that the rights have indeed been assigned (if anyone knows of a free ["ntrights" you have to pay for] command line tool to print/change user rights, please don't hesitate to correct me). Igor -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_ pechtcha AT cs DOT nyu DOT edu ZZZzz /,`.-'`' -. ;-;;,_ igor AT watson DOT ibm DOT com |,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D. '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! "I have since come to realize that being between your mentor and his route to the bathroom is a major career booster." -- Patrick Naughton -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/