X-Spam-Check-By: sourceware.org
Date: Sat, 12 Aug 2006 09:47:53 -0700
From: David Rothenberger <daveroth AT acm DOT org>
To: cygwin AT cygwin DOT com
Subject: Re: logon failure from subauth in 2006-08-02 snapshot
Message-ID: <20060812164753.GA1100@tela.daveroth.dyndns.org>
References: <20060809183753 DOT GA2940 AT tela DOT daveroth DOT dyndns DOT org> <20060810072130 DOT GB20467 AT calimero DOT vinschen DOT de> <44DB61F1 DOT 1050209 AT acm DOT org> <20060811074027 DOT GQ20467 AT calimero DOT vinschen DOT de> <20060811173557 DOT GA5432 AT tela DOT daveroth DOT dyndns DOT org> <20060812162514 DOT GA19272 AT calimero DOT vinschen DOT de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20060812162514.GA19272@calimero.vinschen.de>
User-Agent: Mutt/1.4.2.1i
X-IsSubscribed: yes
Reply-To: cygwin AT cygwin DOT com
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Sat, Aug 12, 2006 at 06:25:14PM +0200, Corinna Vinschen wrote:
> On Aug 11 10:35, David Rothenberger wrote:
> > On 8/11/2006 12:40 AM, Corinna Vinschen wrote:
> > > On Aug 10 09:42, David Rothenberger wrote:
> > >> On 8/10/2006 12:21 AM, Corinna Vinschen wrote:
> > >>> On Aug  9 11:37, David Rothenberger wrote:
> > >>>> I've noticed repeated logon failures in my Security event log with
> > >>>> the 2006-08-02 snapshot. (I have security auditing enabled.)
> > >>>>
> > >>>> I'm not sure whether this is expected behavior or not. 
> > >>> It's expected behaviour if you didn't set up subauthentication.
> > >> Okay, I tried to setup subauthentication per 
> > >> http://www.cygwin.com/ml/cygwin-developers/2006-07/msg00013.html. I 
> > >> copied my cygsuba.dll to c:/windows/system32 and added the registry key 
> > >> as indicated. Now, I get system error code 126 (ERROR_MOD_NOT_FOUND).
> 
> Where do you get this message and how?  Can you a bit explain how you test
> it and send the matching strace snippet?
 
I have cron running using the standard settings (I believe).

$ cygrunsrv --verbose --query cron
Service             : cron
Current State       : Running
Controls Accepted   : Stop
Command             : /usr/sbin/cron -D
stdin path          : /dev/null
stdout path         : /var/log/cron.log
stderr path         : /var/log/cron.log
Process Type        : Own Process
Startup             : Automatic
Account             : LocalSystem

I enabled a cron job to run "/bin/sleep 5" every minute. Then, I
attached to the already running cron process using strace.

Once the job ran, I shutdown the cron service, disabled the job, and
restarted the service.

I saw the following in the strace:

   58 9889431 [main] CRON 4980 setegid32: new egid: 513 current: 544
   86 9889517 [main] CRON 4980 setegid32: SetTokenInformation(hProcToken, TokenPrimaryGroup), Win32 error 1308
   61 9889578 [main] CRON 4980 setegid32: SetTokenInformation(hProcImpToken, TokenPrimaryGroup), Win32 error 1308
   56 9889634 [main] CRON 4980 seteuid32: uid: 1003 myself->uid: 18 myself->gid: 513
   60 9889694 [main] CRON 4980 seteuid32: Found token -1
  753 9890447 [main] CRON 4980 set_privilege: 1 = set_privilege ((token 71C) SeTcbPrivilege, 1)
 1127 9891574 [main] CRON 4980 extract_nt_dom_user: pw_gecos 660EE9 (U-TELA\drothe,S-1-5-21-1275210071-616249376-839522115-1003)
 1068 9892642 [main] CRON 4980 subauth: LsaLogonUser: -1073741515
   73 9892715 [main] CRON 4980 seterrno_from_win_error: /netrel/src/cygwin/winsup/cygwin/security.cc:1067 windows error 126
   62 9892777 [main] CRON 4980 geterrno_from_win_error: windows error 126 == errno 2
   56 9892833 [main] CRON 4980 __set_errno: void seterrno_from_win_error(const char*, int, DWORD):310 val 2
  102 9892935 [main] CRON 4980 seteuid32: subauthentication failed, try create token.
  619 9893554 [main] CRON 4980 set_privilege: 0 = set_privilege ((token 71C) SeCreateTokenPrivilege, 1)
  314 9893868 [main] CRON 4980 create_token: get_token = hProcToken
  105 9893973 [main] CRON 4980 extract_nt_dom_user: pw_gecos 660EE9 (U-TELA\drothe,S-1-5-21-1275210071-616249376-839522115-1003)
31065 9925038 [main] CRON 4980 create_token: 2012 = create_token ()
  222 9925260 [main] CRON 4980 load_registry_hive: User registry hive for S-1-5-21-1275210071-616249376-839522115-1003 already exists
   93 9925353 [main] CRON 4980 set_privilege: 1 = set_privilege ((token 6BC) SeRestorePrivilege, 1)
   56 9925409 [main] CRON 4980 set_privilege: 1 = set_privilege ((token 6BC) SeBackupPrivilege, 1)
   53 9925462 [main] CRON 4980 set_privilege: 1 = set_privilege ((token 6BC) SeChangeNotifyPrivilege, 1)
   98 9925560 [main] CRON 4980 open_shared: name Global\cygwin1S4.S-1-5-21-1275210071-616249376-839522115-1003.1, n 1, shared 0x60FD0000 (wanted 0x60FD0000), h 0x94
   56 9925616 [main] CRON 4980 user_shared_initialize: opening user shared for 'S-1-5-21-1275210071-616249376-839522115-1003' at 0x60FD0000
  165 9925781 [main] CRON 4980 user_shared_initialize: user shared version D7040001
   54 9925835 [main] CRON 4980 setuid32: real: 1003, effective: 1003

> > I'm pretty much out of ideas. Any other thoughts?
> 
> Are you running the services as SYSTEM or as another user account?  In
> the latter case, you must add the SeTcpPrivilege to that account.
> Otherwise I have no idea what's wrong for you.  I have five systems with
> four different OSes (2K, XP, 2K3, 2K3 R2 x64) running with
> subauthentication and I only had problems on 2K3 with two facts, the
> first being that the account was missing the SeTcbPrivilege, the second
> being that the subauth DLL must be built as 64 bit DLL to run correctly
> on 64 bit Windows.

I'm running the service as SYSTEM. I just copied the cygsuba.dll
from my cygwin build directory to /c/WINDOWS/system32 and then reset
the permissions. 

$ ls -l /c/WINDOWS/system32/cygsuba.dll
-rwxrwx---+ 1 Administrators SYSTEM 4608 Aug 11 09:50 /c/WINDOWS/system32/cygsuba.dll
$ file !$
file /c/WINDOWS/system32/cygsuba.dll
/c/WINDOWS/system32/cygsuba.dll: PE executable for MS Windows (DLL) (console) Intel 80386 32-bit
$ getfacl !$
getfacl /c/WINDOWS/system32/cygsuba.dll
# file: /c/WINDOWS/system32/cygsuba.dll
# owner: Administrators
# group: SYSTEM
user::rwx
group::rwx
group:Users:r-x
group:Power Users:r-x
mask:rwx
other:---
$ sha1sum.exe /c/WINDOWS/system32/cygsuba.dll 
87de7c4abd1db1ddb3ff243b99bc33b8e603422f */c/WINDOWS/system32/cygsuba.dll

I then added the registry key.

$ regtool get /machine/SYSTEM/CurrentControlSet/Control/Lsa/MSV1_0/Auth255
CYGSUBA

BTW, I see similar kinds of error messages when I attach strace to
sshd.

-- 
David Rothenberger                spammer? -> spam AT daveroth DOT dyndns DOT org
GPG/PGP: 0x92D68FD8, DB7C 5146 1AB0 483A 9D27 DFBA FBB9 E328 92D6 8FD8

Love is being stupid together.
                -- Paul Valery


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/