X-Spam-Check-By: sourceware.org
Message-ID: <43CE7529.60305@equate.dyndns.org>
Date: Wed, 18 Jan 2006 17:04:41 +0000
From: Chris Taylor <chris AT equate DOT dyndns DOT org>
Reply-To: cygwin AT cygwin DOT com
User-Agent: Debian Thunderbird 1.0.7 (X11/20051017)
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Wich privileges required by ssh-host-config running user?
References: <SERRANOP9ww1WySvX5w000001bc AT SERRANO DOT CAM DOT ARTIMI DOT COM>
In-Reply-To: <SERRANOP9ww1WySvX5w000001bc@SERRANO.CAM.ARTIMI.COM>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Dave Korn wrote:
> Chris Taylor wrote:
> 
>>Dave Korn wrote:
>>
>>>Chris Taylor wrote:
>>>
>>>
>>>>Dave Korn wrote:
>>>
>>>
>>>>> Simplest workaround would be to always join the machine to the domain
>>>>>first and install cygwin second.
>>>>>
>>>>
>>>>And to install as the domain administrator, not the local admin,
>>>>otherwise you run into this problem, as the OP has done.
>>>
>>>
>>>  Probably a domain user would suffice.  It might be best if the domain
>>>user account was made a "Power User" in the machine's local user
>>>accounts. 
> 
> 
>>I'm not sure that power users have the ability to change ownership in
>>this way.. 
> 
> 
>   Actually, I'm not sure either.  If "Power Users" isn't enough, it would need
> to be a local admin.
> 
> 
>>It may be that you would be required to use a domain
>>administrator account to install and to set up any services you wished
>>to use, though I could be mistaken. I'd have to test it to see.
> 
> 
>   No, the issue is not what rights you have in the domain, but what rights the
> domain user has over the local machine.  Domain admins are automatically
> admins over the local machine, and domain users are not, but domain users can
> be made into local admins by anyone with admin rights over the machine (such
> as the local admin) and it doesn't require domain admin rights.  
> 
>   Basically, nothing you need to do to an individual machine should ever need
> domain admin rights.  It's about _local_ rights.
> 
> 
>     cheers,
>       DaveK

Good point.
However, it is potentially possible that the 'administrator' account on 
the local machine is locked down, without adversely affecting the 
administrators group, which could potentially cause the issues described 
by the OP - it would depend on the various group policy settings and 
such though.

It might be worth having the OP test manually changing the owner in both 
cygwin and windows if cygwin fails..

ATTN OP:
Cygwin: chown SYSTEM ssh_host_*
Windows: Select files, right click, properties, Security, Advanced, 
Owner, 'Choose other user' (or something to that effect), then specify 
SYSTEM and hit OK until you're back at explorer.
Please note that the windows method is only valid (afaik) on win2k3 servers.


Chris
-- 

Spinning complacently in the darkness, covered and blinded by a blanket
of little lives, false security has lulled the madness of this world
into a slumber. Wake up! An eye is upon you, staring straight down and
keenly through, seeing all that you are and everything that you will
never be. Yes, an eye is upon you, an eye ready to blink. So face
forward, with arms wide open and mind reeling. Your future has
arrived... Are you ready to go?

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/