X-Spam-Check-By: sourceware.org
Message-Id: <200602010040.k110emDh001020@tigris.pounder.sol.net>
From: cygwin AT trodman DOT com (Tom Rodman)
Reply-to: cygwin AT cygwin DOT com
To: cygwin AT cygwin DOT com
Subject: Re: ssh session w/reduced credentials; simple TEST CASE to show problem
In-reply-to: <200601311632.k0VGW2em030961@tigris.pounder.sol.net>
References: <200601311632 DOT k0VGW2em030961 AT tigris DOT pounder DOT sol DOT net>
Date: Tue, 31 Jan 2006 18:40:47 -0600
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

simple test case:
  <Windows 2003 server - Standard Edition; service pack 1>

  Please use an account in the local administrators group.
  Mine was a direct member, ie the account itself shows up if
  you run 'net localgroup administrators'.  Next verify you can
  'ssh localhost' OK.

  To create the problem, create any empty localgroup, say for example
  "toss_soon".  Then run:

    net localgroup toss_soon /add administrators

  Now try 'ssh localhost', as the same user.  Once you have a shell
  prompt, type 'whoami' - if the problem shows up the output is: 

    YOURHOSTSNAME\sshd_server.

  To make the problem go away, run:

    net localgroup toss_soon /delete administrators

BTW, we're unable to remove administrators from the group in
our case, and I prefer not to have to add the user to the group -
the account is already in the local administrators group.

--
thanks,
Tom

pls see a comment or two below:

On Tue 1/31/06 10:32 CST Tom Rodman wrote:
--snip
> -- The Problem --
> 
> On Monday several compilers were loaded on this host (OurSrvr064);
> because of this, 4 new local groups were created. So, I updated
> /etc/group, by running 'mkgroup -ld', and subsequently re-doing
> Pierre's approach- adding the username ("staffuser2", a domain user) into
> the "userlist" [4th field] in /etc/group for each group listed by 'id -G'.
> Unfortunately this failed. Also, the ssh session showed one
> *additional* local group (gid 1008) for user staffuser2; additional w/r to
> the (non ssh session) Terminal Services bash session 'id -G' output.
> Also notable, was that whoami shown: "OurSrvr064\sshd_server", instead of
> "staffuser2".
--snip
> $ : next, will run test script, it works just fine in a Terminal Service session:
>   $ /cygdrive/c/adm/ssh_test_my_rights00
>   + cd //OurServer108/tcm
>   + id -G
>   10513 544 545 1010 19858 19968 16025 16027 16024
>   + id
>   uid=15776(staffuser2) gid=10513(Domain Users) groups=544(Administrators),545(Users),1010(Debugger Users),19858(ABC_NA-CTX-Notepad-A),19968(ABC_NA-DOMxx0-tcm-Users-A),10513(Domain Users),16025(XYZ_BLD_MGR),16027(XYZ_ES_STAFF),16024(XYZ_Users)
>   + :
>   + whoami
>   staffuser2
--snip
>   $ : Notice that next test fails again even though groups for staffuser2 more than match,
>   $ : the groups staffuser2 is in within a Term Service session (1008 is the extra local group).
>   $ ssh localhost /cygdrive/c/adm/ssh_test_my_rights00 
>   staffuser2 AT localhost's password: 
>   + cd //OurServer108/tcm
>   /cygdrive/c/adm/ssh_test_my_rights00: line 3: cd: //OurServer108/tcm: Permission denied
>   + id -G
>   10513 544 545 1010 1008 19858 19968 16025 16027 16024
>   + id
>   uid=15776(staffuser2) gid=10513(Domain Users) groups=544(Administrators),545(Users),1010(Debugger Users),1008(OWS_2416084231_admin),19858(ABC_NA-CTX-Notepad-A),19968(ABC_NA-DOMxx0-tcm-Users-A),10513(Domain Users),16025(XYZ_BLD_MGR),16027(XYZ_ES_STAFF),16024(XYZ_Users)

OWS_2416084231_admin (1008) is the problem group; ie it
shows up in the ssh session, but not in a simple
Terminal Services session

--snip
> -- The new local groups, and their members; these groups were added on Monday -- {
> 
-snip
>   C:\>net localgroup OWS_2416084231_admin
>   Alias name     OWS_2416084231_admin
>   Comment        Microsoft SharePoint role 'admin' for web 'http://OurSrvr064'
> 
>   Members
> 
>   -------------------------------------------------------------------------------
>   Administrators
>   The command completed successfully.
> 
--snip

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/