X-Spam-Check-By: sourceware.org
Date: Sat, 21 Jan 2006 13:17:43 -0500 (EST)
From: Igor Peshansky <pechtcha AT cs DOT nyu DOT edu>
Reply-To: cygwin AT cygwin DOT com
To: Steve Briggs <zzybaloobah AT yahoo DOT com>
cc: cygwin AT cygwin DOT com
Subject: Re: sshd client can't access remote shares
In-Reply-To: <20060121045949.89965.qmail@web53909.mail.yahoo.com>
Message-ID: <Pine.GSO.4.63.0601211241540.18707@access1.cims.nyu.edu>
References: <20060121045949 DOT 89965 DOT qmail AT web53909 DOT mail DOT yahoo DOT com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: 
Content-Disposition: INLINE
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Fri, 20 Jan 2006, Steve Briggs wrote:

> I can't access network shares when I connect via sshd.

The knee-jerk response for this is usually "read the FAQ" (i.e.,
<http://cygwin.com/faq/faq.using.html#faq.using.shares>).  But you seem to
have covered most of it in your email.

> My /etc/password file has only domain accounts:
> Steve:unused_by_nt/2000/xp:14896:544:Steve,U-FDE\Steve,S-<blah>-4896:/temp:/bin/bash
>
> I've given the Win2kPro "SYSTEM" user rights to:
>    Act as part of the OS
>    Create a token object
>    Increase quotas
>    Replace a process level token
>
> When I'm logged into Windows as FDE\Steve:
>   DOS>net use s: /d
>   DOS>cd C:\cygwin\bin
>   DOS>SET CYGWIN=ntsec
>   DOS>bash
>   bash>net use s: '\\rem_mach\rem_share'
> this works as one would expect
>
> When I:
>   DOS>net use s: /d
>   DOS>cd C:\cygwin\bin
>   DOS>SET CYGWIN=ntsec
>   DOS>bash
>   bash>cygrunsrv -I sshd -p /usr/sbin/sshd -A -d
                                             ^^^^^
I hope this is a typo (though your sshd output indicates that it isn't).
First off, the options should be "-a -D" (otherwise sshd will detach, and
won't be under cygrunsrv's control).  Also, the "-d" option will cause
sshd to exit after the first connection.

>   bash>cygrunsrv -S sshd
> then login as Steve via sshd using password authentication
> (I have NOT set up authentication with keys), it says:
>   "debug1: permanently_set_uid 14896/544"
> It lets me login as Steve with my password, but
>   bash>"net use s: '\\rem_mach\rem_share'" immedidately gives:
>   "System error 1312 has occured."

"net helpmsg 1312" shows that this error means that "A specified logon
session does not exist. It may already have been terminated."

> This also happens with
>   bash>net use s: '\\rem_mach\rem_share' /user:Steve
> but
>   bash>net use s: '\\rem_mach\rem_share' '/user:FDE\Steve' mypassword
> works (seems to be the only combination that does work).
> It doesn't seem to matter if I ssh in from a remote machine or locally
> (bash>ssh localhost).

You should also be able to issue a "net use s: '\\rem_mach\rem_share'
/user:Steve '*'", which will prompt you for a password.

> I thought that if I used password authentication with sshd, that the
> process had all the correct user tokens to access shares on the domain?

This should be correct.

> If I don't run sshd as SYSTEM, but as Steve (with admin rights on the
> domain and local machine)
>   bash>/usr/sbin/sshd -d
> I can login as Steve via ssh and the net use command works.

Right, because you're already properly authenticated with Windows.  But
the same should happen when running sshd as a SYSTEM service and
password-authenticating.

> I need for multiple users to ssh (actually scp) in and access their home
> directories on a remote share. They can give passwords, but is
> *multiple* users.
>
> Any ideas why remote access doesn't work with sshd and password
> authentication?  I saw several mentions of this problem in the archives,
> but I think I've tried all the suggestions given.

I wonder if this is related to the recent WindowStation changes in
Cygwin's fhandler_console...

> I've attached the output of "cgycheck -svr".

Which looks normal, BTW -- the only weird thing is that the userid for
"Steve" is 4896, not 14896 as you indicated in your /etc/passwd quote
above.

> Any ideas what to try next?

If you're willing to build Cygwin from CVS, try commenting out lines
149-151 of fhandler_console.cc and see if that makes your problem go away.
That should tell us if my guess is correct and the WindowStation changes
were the culprit.

HTH,
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_	    pechtcha AT cs DOT nyu DOT edu | igor AT watson DOT ibm DOT com
ZZZzz /,`.-'`'    -.  ;-;;,_		Igor Peshansky, Ph.D. (name changed!)
     |,4-  ) )-,_. ,\ (  `'-'		old name: Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte."
"But no -- you are no fool; you call yourself a fool, there's proof enough in
that!" -- Rostand, "Cyrano de Bergerac"

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/