Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Sensitivity: 
Subject: Re: proftpd issues
To: cygwin AT cygwin DOT com
Message-ID: <OF9E370AA7.20142D0F-ON85256D7D.00456A8F-85256D7D.004898EF@empirehealthcare.com>
From: Brian DOT Kelly AT Empireblue DOT com
Date: Sat, 9 Aug 2003 09:12:57 -0400
MIME-Version: 1.0
X-WSS-ID: 132A2C62526170-01-03
Content-Type: text/plain;
 charset=us-ascii
Content-Transfer-Encoding: 7bit


> Fixes for what?  If proftpd needs to switch user contexts (using Cygwin
> system calls), the account it runs under needs to have those rights.
> Period.

I'm sorry Igor, I'm not giving you enough info. proftpd is being called
from xinetd which itself is being launched via init. *telnet* works fine
and authenticates BOTH local and domain ID's. So that *should* - correct
me if I'm wrong - eliminate the passwd and group file entries as culprits.
Especially since I'm using the very same domain ID for my testing.

bmk1n0 AT STP*****FTP1 ~
 - telnet 1**.24.2**.81
Trying 1**.24.2**.81...
Connected to 1**.24.2**.81.
Escape character is '^]'.

CYGWIN_NT-5.0 1.3.22(0.78/3/2) (stp*****ftp2) (tty0)

login: bmk1n0
Password:
Fanfare!!!
You are successfully logged in to this server!!!
bmk1n0 AT stp*****ftp2 ~
 - exit
logout
Connection closed by foreign host.
bmk1n0 AT STP*****FTP1 ~
 - ftp 172.24.200.81
Connected to 1**.24.2**.81.
220 ProFTPD 1.2.9rc1 Server (ProFTPD Default Installation) [stpn*****ftp2.
************.com]
Name (1**.24.2**.81:bmk1n0): bmk1n0
331 Password required for bmk1n0.
Password:
530 Login incorrect.
ftp: Login failed.
421 Service not available, remote server has closed connection
ftp> bye

########### NOW LOCAL ID - SAME AS PROFTPD IS SET TO #############

bmk1n0 AT STP*****FTP1 ~
 - ftp 1**.24.2**.81
Connected to 1**.24.2**.81.
220 ProFTPD 1.2.9rc1 Server (ProFTPD Default Installation) [stp*****ftp2.
************.com]
Name (1**.24.2**.81:bmk1n0): root
331 Password required for root.
Password:
230 User root logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Furthermore, if I change the ftp daemon to the one supplied with inetutils,
Domain
authentication works again.

The *root* ID was created as new local ID on the ftp2 box. I have
explicitly assigned
the rights:

"Act as part of the operating system"
"Replace process level token"
"Increase quotas"

It is a member of the administrator's group.

As you can see, the server runs with this ID, and authenticates this ID,
but
not Domain ID's.

Also, it simply will *not* run with the SYSTEM ID, although telnetd *is*
running
with it.


Thanks
Brian Kelly





"Igor Pechtchanski" <pechtcha AT cs DOT nyu DOT edu> on 08/08/2003 08:57:53 PM

Please respond to cygwin AT cygwin DOT com

To:    Brian DOT Kelly AT empireblue DOT com
cc:    cygwin AT cygwin DOT com

Subject:    Re: proftpd issues


Fixes for what?  If proftpd needs to switch user contexts (using Cygwin
system calls), the account it runs under needs to have those rights.
Period.  If the SYSTEM account doesn't have those rights on your machine,
it's nothing that proftpd can fix.  You'll just need to either create an
account with those rights, or add them to an existing account.

As for domain authentication, are the entries for the domain users you're
trying to authenticate present in your /etc/passwd file?  Are their
corresponding groups in /etc/group?  Just to eliminate that possibility,
could you please run "mkpasswd -d yourdomain >> /etc/passwd" and "mkgroup
-d yourdomain >> /etc/group" before trying again?  You may want to save
backup copies of /etc/passwd and /etc/group first.
 Igor

On Fri, 8 Aug 2003 Brian DOT Kelly AT Empireblue DOT com wrote:

> Thanks for the response Igor. I'm working on W2K *Server* SP3. Maybe the
> Servers are more stict with the User Rights?? Domain authentication
> works fine for telnet, and inetutils ftpd - but *not* for proftpd. Any
> ideas? I think there's a test version of proftpd sitting out on the
> mirrors - perhaps it has fixes for this?
>
> Brian Kelly
>
>
> "Igor Pechtchanski" <pechtcha AT cs DOT nyu DOT edu> on 08/08/2003 06:50:16 PM
>
> Please respond to cygwin AT cygwin DOT com
>
> To:    Brian DOT Kelly AT empireblue DOT com
> cc:    cygwin AT cygwin DOT com
>
> Subject:    Re: proftpd issues
>
>
> On Fri, 8 Aug 2003 Brian DOT Kelly AT empireblue DOT com wrote:
>
> > Since having gotten xinetd working, I've shifted my effortst to the new
> > proftpd.
> >
> > After another couple of hours of *pain* - I finally got it going in a
> > limited fashion.
> >
> > First of all, I couldn't get it to start with the SYSTEM id as
indicated
> > in the proftpd.conf file.
> >
> > I had to use a custom ID added to the Administrators group and having
the
> > following User Rights assigned:
> >
> > "Act as part of the operating system"
> > "Replace process level token"
> > "Increase quotas"
> >
> > Question: Do these rights *have* to granted to the SYSTEM id for
proftpd
> > to work?
>
> Yes.  Since you've as much as quoted from the ntsec userguide section,
I'm
> not going to bother citing a reference.  The above rights are needed to
> switch user contexts.  SYSTEM has it by default on most NT-based versions
> of Windows (but may not on some more recent ones, notably 2003 server).
>
> > Next - I could log on with local id's - but not with Domain id's. Is
> > proftpd set up to do domain authentication via ntsec??
> > If not, is there an ETA?
> >
> > Brian Kelly
>
> Cygwin (ntsec) is already set up for domain authentication.  However, to
> be able to authenticate a domain user, that domain user has to be in
> /etc/passwd (and his groups should most likely be in /etc/group).  Make
> sure your /etc/passwd includes the users you're trying to authenticate.
>     Igor

--
    http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_            pechtcha AT cs DOT nyu DOT edu
ZZZzz /,`.-'`'    -.  ;-;;,_        igor AT watson DOT ibm DOT com
     |,4-  ) )-,_. ,\ (  `'-'       Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL   a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton










"WellChoice, Inc." made the following
 annotations on 08/09/2003 09:15:21 AM
------------------------------------------------------------------------------
Attention!  This electronic message contains information that may be legally
confidential and/or privileged.  The information is intended solely for the
individual or entity named above and access by anyone else is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution,
or use of the contents of this information is prohibited and may be unlawful.
If you have received this electronic transmission in error, please reply
immediately to the sender that you have received the message in error, and
delete it. Release/Disclosure Statement


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/