X-Spam-Check-By: sourceware.org Date: Fri, 18 Aug 2006 08:58:17 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: group"S-1-2-0"(users who login locally)in ssh;windows 2003 Message-ID: <20060818065817.GP20467@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <200608161821 DOT k7GIL5VW024015 AT tigris DOT pounder DOT sol DOT net> <200608162049 DOT k7GKnTTE024729 AT tigris DOT pounder DOT sol DOT net> <20060816211108 DOT GD27256 AT calimero DOT vinschen DOT de> <200608172349 DOT k7HNnaBK002833 AT tigris DOT pounder DOT sol DOT net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200608172349.k7HNnaBK002833@tigris.pounder.sol.net> User-Agent: Mutt/1.4.2i Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com On Aug 17 18:49, Tom Rodman wrote: > > tried that.. no joy, take a look: > --v-v------------------C-U-T---H-E-R-E-------------------------v-v-- > $ $WINDIR/system32/whoami /all #we're in an ssh session before edits made to /etc/group > > USER INFORMATION > ---------------- > > User Name SID > ========== ============================================= > DOMxx1\adm_usr1 S-1-5-21-1390067357-1202660629-682003330-5774 Must be a password logon session, otherwise you would not see this user name here, but sshd_server. > $ echo local:S-1-2-0:2:adm_usr1 >> /etc/group > $ wc -l /etc/group > 2691 /etc/group > $ exit > logout > Connection to OurSrvr065 closed. > [16:02:33 Thu Aug 17 0j 36 2354 ~/Mail] > [localhost rodmant]$ ssh OurSrvr065 -l adm_usr1 #~adm_usr1 is on a remote share Won't work, at least not with pubkey authentication. > adm_usr1 AT OurSrvr065's password: > Last login: Thu Aug 17 15:58:07 2006 from 10.165.10.182 > Welcome to ITZG compile engine .. > Could not chdir to home directory /user/adm_usr1: Permission denied > -bash: /etc/profile: Permission denied > -bash: /user/adm_usr1/.bash_profile: Permission denied Looks quite expected. > -bash-3.00$ $WINDIR/system32/whoami /all #notice whoami shows wrong user name: > > USER INFORMATION > ---------------- > > User Name SID > ===================== ============================================= > OurSrvr065\sshd_server S-1-5-21-1390067357-1202660629-682003330-5774 As expected. > GROUP INFORMATION > ----------------- > > Group Name Type SID Attributes > ================================ ================ ============================================= ================================================== > Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group > NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group > LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group Well, here's the LOCAL group. What's the problem? The fact that Windows applications asking for the user name get the wrong user name is a result of using the logon session of the sshd server process when using pubkey authentication. This is a long standing problem, for years. There's no workaround for the time being. However, if you take a look into the user token of the process using other means (OpenProcessToken/GetTokenInformation), you'll see that the token user, as well as the token owner is set to the user account you logged in to, DOMxx1\adm_usr1 in this case. Why the Windows functions returning the user name from a SID fail to return the correct user name (as for whoami) in this scenario, is beyond me. This is arguably a Windows bug. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/