X-Spam-Check-By: sourceware.org Message-Id: <200608172349.k7HNnaBK002833@tigris.pounder.sol.net> From: cygzz AT trodman DOT com (Tom Rodman) To: cygwin AT cygwin DOT com Reply-to: cygwin AT cygwin DOT com Subject: Re: group"S-1-2-0"(users who login locally)in ssh;windows 2003 In-reply-to: <20060816211108.GD27256@calimero.vinschen.de> References: <200608161821 DOT k7GIL5VW024015 AT tigris DOT pounder DOT sol DOT net> <200608162049 DOT k7GKnTTE024729 AT tigris DOT pounder DOT sol DOT net> <20060816211108 DOT GD27256 AT calimero DOT vinschen DOT de> Date: Thu, 17 Aug 2006 18:49:36 -0500 X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com On Wed 8/16/06 23:11 +0200 cygwin AT cygwin DOT com wrote: > On Aug 16 15:49, Tom Rodman wrote: > > On Wed 8/16/06 14:44 CDT mwoehlke wrote: > > > Tom Rodman wrote: > > > > Hosts effected: > > > > > > > > several boxes running windows 2003 server w/cygwin (1.5.20s(0.155/4/2) 20060403 13:33:45) > > > > > > > > Problem (or feature?): > > > > > > > > when you ssh to these boxes, and run: > > > > > > > > $WINDIR/system32/whoami /all |grep -q S-1-2-0 || echo OOPs # "OOPS" echos :-< > > > > > > > > "S-1-2-0" == "Users who log on to terminals locally (physically) connected to the system." > > > > [...] > > > FWIW, on my 2k3 box, I show up as a member in S-1-2-0 both logged in > > > "locally" (via Remote Desktop Sharing, with which I have never had > > > anything "not work") and via Cygwin sshd. --snip > Maybe there's a difference between password and pubkey authentication? we're using password authentication. > Or it's some security setting? I could easily imagine there's a switch > in "local Security Settings" or "Domain Security Settings" which drops > the LOCAL group from the token. In windows, I ran secpol.msc, and browsed through it looking for something obvious, nothing jumped out at me. These boxes are in a large corporate domain, and they do change, and "push down" domain policies from time to time (often without telling us). > There's a lot of mysterious stuff in 2K3... > > Whatever it is, it must be something related to 2K3. Cygwin doesn't > differ the different OSes in terms of authentication. I also have the > LOCAL group as part of my user token on 2K3. thx for checking, and letting me know > Temporary Workaround: Add the user to the local group by adding them to > a manually created entry in /etc/group: > > local:S-1-2-0:2:user1,user2,... tried that.. no joy, take a look: --v-v------------------C-U-T---H-E-R-E-------------------------v-v-- $ $WINDIR/system32/whoami /all #we're in an ssh session before edits made to /etc/group USER INFORMATION ---------------- User Name SID ========== ============================================= DOMxx1\adm_usr1 S-1-5-21-1390067357-1202660629-682003330-5774 GROUP INFORMATION ----------------- Group Name Type SID Attributes ================================ ================ ============================================== =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group DOMxx1\XYZ_ES_ADMIN Group S-1-5-21-1390067357-1202660629-682003330-6026 Mandatory group, Enabled by default, Enabled group DOMxx1\XYZ_ES_STAFF Group S-1-5-21-1390067357-1202660629-682003330-6027 Mandatory group, Enabled by default, Enabled group DOMxx1\XYZ_BLD_MGR Group S-1-5-21-1390067357-1202660629-682003330-6025 Mandatory group, Enabled by default, Enabled group DOMxx1\ABC_NA-CTX-Notepad-A Group S-1-5-21-1390067357-1202660629-682003330-9858 Mandatory group, Enabled by default, Enabled group DOMxx1\ABC_NA-DOMxx0-tcm-Users-A Group S-1-5-21-1390067357-1202660629-682003330-9968 Mandatory group, Enabled by default, Enabled group DOMxx1\XYZ_Users Group S-1-5-21-1390067357-1202660629-682003330-6024 Mandatory group, Enabled by default, Enabled group DOMxx1\ABC_NA-DL-CTX-Notepad Users-A Alias S-1-5-21-1390067357-1202660629-682003330-9857 Mandatory group, Enabled by default, Enabled group DOMxx1\CERTSVC_DCOM_ACCESS Alias S-1-5-21-1390067357-1202660629-682003330-46949 Mandatory group, Enabled by default, Enabled group, Local Group DOMxx1\RILOE_SCM Alias S-1-5-21-1390067357-1202660629-682003330-1339 Mandatory group, Enabled by default, Enabled group, Local Group DOMxx1\C200-DL-APP-SCMUsers Alias S-1-5-21-1390067357-1202660629-682003330-55557 Mandatory group, Enabled by default, Enabled group, Local Group PRIVILEGES INFORMATION ---------------------- Privilege Name Description State =============================== ========================================= ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeSecurityPrivilege Manage auditing and security log Disabled SeBackupPrivilege Back up files and directories Disabled SeRestorePrivilege Restore files and directories Disabled SeSystemtimePrivilege Change the system time Disabled SeShutdownPrivilege Shut down the system Disabled SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled SeDebugPrivilege Debug programs Disabled SeSystemEnvironmentPrivilege Modify firmware environment values Disabled SeSystemProfilePrivilege Profile system performance Disabled SeProfileSingleProcessPrivilege Profile single process Disabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled SeLoadDriverPrivilege Load and unload device drivers Disabled SeCreatePagefilePrivilege Create a pagefile Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeUndockPrivilege Remove computer from docking station Disabled SeManageVolumePrivilege Perform volume maintenance tasks Disabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled $ grep S-1-2-0 /etc/group $ echo local:S-1-2-0:2:adm_usr1 >> /etc/group $ wc -l /etc/group 2691 /etc/group $ exit logout Connection to OurSrvr065 closed. [16:02:33 Thu Aug 17 0j 36 2354 ~/Mail] [localhost rodmant]$ ssh OurSrvr065 -l adm_usr1 #~adm_usr1 is on a remote share adm_usr1 AT OurSrvr065's password: Last login: Thu Aug 17 15:58:07 2006 from 10.165.10.182 Welcome to ITZG compile engine .. Could not chdir to home directory /user/adm_usr1: Permission denied -bash: /etc/profile: Permission denied -bash: /user/adm_usr1/.bash_profile: Permission denied -bash-3.00$ $WINDIR/system32/whoami /all #notice whoami shows wrong user name: USER INFORMATION ---------------- User Name SID ===================== ============================================= OurSrvr065\sshd_server S-1-5-21-1390067357-1202660629-682003330-5774 GROUP INFORMATION ----------------- Group Name Type SID Attributes ================================ ================ ============================================= ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group DOMxx1\ABC_NA-CTX-Notepad-A Group S-1-5-21-1390067357-1202660629-682003330-9858 Mandatory group, Enabled by default, Enabled group DOMxx1\ABC_NA-DOMxx0-tcm-Users-A Group S-1-5-21-1390067357-1202660629-682003330-9968 Mandatory group, Enabled by default, Enabled group DOMxx1\XYZ_BLD_MGR Group S-1-5-21-1390067357-1202660629-682003330-6025 Mandatory group, Enabled by default, Enabled group DOMxx1\XYZ_ES_ADMIN Group S-1-5-21-1390067357-1202660629-682003330-6026 Mandatory group, Enabled by default, Enabled group DOMxx1\XYZ_ES_STAFF Group S-1-5-21-1390067357-1202660629-682003330-6027 Mandatory group, Enabled by default, Enabled group DOMxx1\XYZ_Users Group S-1-5-21-1390067357-1202660629-682003330-6024 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group PRIVILEGES INFORMATION ---------------------- Privilege Name Description State =============================== ========================================= ======= SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeSecurityPrivilege Manage auditing and security log Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeSystemtimePrivilege Change the system time Enabled SeShutdownPrivilege Shut down the system Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeDebugPrivilege Debug programs Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Enabled SeSystemProfilePrivilege Profile system performance Enabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeUndockPrivilege Remove computer from docking station Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled -bash-3.00$ > Corinna > > -- > Corinna Vinschen Please, send mails regarding Cygwin to > Cygwin Project Co-Leader cygwin AT cygwin DOT com > Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/