X-Spam-Check-By: sourceware.org
Date: Thu, 6 Jul 2006 10:56:49 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: 1.5.20: supplementary groups not initialized via ssh when PDC is down
Message-ID: <20060706085649.GR18873@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <200607052018 DOT k65KIvlv026597 AT phumos DOT tgtaft DOT emc DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200607052018.k65KIvlv026597@phumos.tgtaft.emc.com>
User-Agent: Mutt/1.4.2i
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Jul  5 15:18, theo0 AT krumvieda DOT com wrote:
> Hi there:
> 
> I have cygwin installed on an XP machine in a domain controlled by a
> PDC and a single BDC (both DCs run W2K).  When the PDC is up,
> everything runs perfectly fine.  However, when the PDC is down
> (leaving just the BDC), we are having problems with remote ssh logins:
> 
>  o If I login via ssh while the PDC is down, "/bin/id" shows only the
>    default group, not any of the supplementary groups (this also shows
>    up in the output of "cygcheck" below).  There are other things that
>    fail too, e.g., anything that requires administrator privileges
>    ("nbtstat -c"), presumably because the shell doesn't think I'm a
>    domain admin.
> 
>     -bash-3.1$ /bin/id
>     uid=11116(cliff) gid=11194(user) groups=11194(user)
> 
>  o If I login to Windows while the PDC is down, then start a cygwin
>    shell by double clicking on the cygwin icon, everything works as
>    expected.
> 
>      -bash-3.1$ /bin/id
>      uid=11116(cliff) gid=11194(user) groups=11134(clearcase),10512(Domain Admins),10513(Domain Users),11194(user)
> 
>  o If I login via ssh while the PDC is up, "/bin/id" shows all groups
>    and everything works as expected.
> 
>      -bash-3.1$ /bin/id
>      uid=11116(cliff) gid=11194(user) groups=11134(clearcase),10512(Domain Admins),10513(Domain Users),11194(user)
> 
> Any idea why the supplementary groups aren't being initialized when
> the PDC is down?  Do I have something configured incorrectly?

When logging in via ssh, ssh calls initgroups().  Cygwin's initgroups
assembles the user's group list basically like this:

- Get list of domain groups the user is member in.
- Get list of local groups the user is member in.,
- Get list of groups from /etc/group in which the user is mentioned in
  the gr_mem fields.
- Fold groups into a list of groups with no doubles.

The first step is working by contacting the PDC.  If the PDC isn't
available, there's no domain group list.  Cygwin does not try to contact
any secondary domain server right now.

To circumvent the situation you're describing above, you can add the
user(s) to the appropriate groups in /etc/group.  For instance:

Domain Admins:S-1-5-21-1154851028-2324800110-1472610766-512:10512:cliff,corinna

This allows the necessary domain group memberships even if the PDC is
not available.


HTH,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/