X-Spam-Check-By: sourceware.org Message-Id: <200608181335.k7IDZpmc008129@tigris.pounder.sol.net> From: cygzz AT trodman DOT com (Tom Rodman) Reply-to: cygwin AT cygwin DOT com To: cygwin AT cygwin DOT com Subject: Re: group"S-1-2-0"(users who login locally)in ssh;windows 2003 In-reply-to: <20060818065817.GP20467@calimero.vinschen.de> References: <200608161821 DOT k7GIL5VW024015 AT tigris DOT pounder DOT sol DOT net> <200608162049 DOT k7GKnTTE024729 AT tigris DOT pounder DOT sol DOT net> <20060816211108 DOT GD27256 AT calimero DOT vinschen DOT de> <200608172349 DOT k7HNnaBK002833 AT tigris DOT pounder DOT sol DOT net> <20060818065817 DOT GP20467 AT calimero DOT vinschen DOT de> Date: Fri, 18 Aug 2006 08:35:51 -0500 X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com On Fri 8/18/06 8:58 +0200 cygwin AT cygwin DOT com wrote: > On Aug 17 18:49, Tom Rodman wrote: > > > > tried that.. no joy, take a look: > > --v-v------------------C-U-T---H-E-R-E-------------------------v-v-- > > $ $WINDIR/system32/whoami /all #we're in an ssh session before edits made to /etc/group > > > > USER INFORMATION > > ---------------- > > > > User Name SID > > ========== ============================================= > > DOMxx1\adm_usr1 S-1-5-21-1390067357-1202660629-682003330-5774 > > Must be a password logon session, otherwise you would not see this > user name here, but sshd_server. Your right, it is a *password authenticated* logon session, such sessions are fine w/me for system administration work. On a separate issue, rightly or wrongly we use an expect script w/cron to schedule cron jobs that access and change files on network shares. > > $ echo local:S-1-2-0:2:adm_usr1 >> /etc/group > > $ wc -l /etc/group > > 2691 /etc/group > > $ exit > > logout > > Connection to OurSrvr065 closed. > > [16:02:33 Thu Aug 17 0j 36 2354 ~/Mail] > > [localhost rodmant]$ ssh OurSrvr065 -l adm_usr1 #~adm_usr1 is on a remote share > > Won't work, at least not with pubkey authentication. again - A home dir on a network share, works fine for us w/password authentication, so the original post/problem is for the password authentication case - sorry I did not make that clear :-< It would be interesting to see if you or otheres can duplicate the problem, using password authentication. > > adm_usr1 AT OurSrvr065's password: > > Last login: Thu Aug 17 15:58:07 2006 from 10.165.10.182 > > Welcome to ITZG compile engine .. > > Could not chdir to home directory /user/adm_usr1: Permission denied > > -bash: /etc/profile: Permission denied > > -bash: /user/adm_usr1/.bash_profile: Permission denied > > Looks quite expected. > > > -bash-3.00$ $WINDIR/system32/whoami /all #notice whoami shows wrong user name: > > > > USER INFORMATION > > ---------------- > > > > User Name SID > > ===================== ============================================= > > OurSrvr065\sshd_server S-1-5-21-1390067357-1202660629-682003330-5774 > > As expected. > > > GROUP INFORMATION > > ----------------- > > > > Group Name Type SID Attributes > > ================================ ================ ============================================= ================================================== > > Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group > > NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group > > LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group > > Well, here's the LOCAL group. What's the problem? The fact that > Windows applications asking for the user name get the wrong user name is > a result of using the logon session of the sshd server process when > using pubkey authentication. Yes I see the local group "S-1-2-0", but when I ssh'd in, I typed the password in for this session and so I expect "whoami /all" to return the username that goes with the password - more importantly I need the credentials to write to the network shares, that I normally get when using ssh via password authentication. I appreciate your help on this Corinna, *thank-you*. Most work I do does not seem to require membership in "S-1-2-0", so it's not that big a deal. > This is a long standing problem, for > years. There's no workaround for the time being. However, if you take > a look into the user token of the process using other means > (OpenProcessToken/GetTokenInformation), you'll see that the token user, > as well as the token owner is set to the user account you logged in to, > DOMxx1\adm_usr1 in this case. Thanks, I trust your right, I don't have the experience or time to write a simple tool using (OpenProcessToken/GetTokenInformation); maybe I can google and find such a tool.. -- Thank-you, Tom > Why the Windows functions returning the user name from a SID fail to > return the correct user name (as for whoami) in this scenario, is > beyond me. This is arguably a Windows bug. > > > Corinna > > -- > Corinna Vinschen Please, send mails regarding Cygwin to > Cygwin Project Co-Leader cygwin AT cygwin DOT com > Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/