X-Spam-Check-By: sourceware.org
Date: Wed, 23 Aug 2006 09:43:03 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: group"S-1-2-0"(users who login locally)in ssh;windows 2003
Message-ID: <20060823074303.GE2257@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <200608161821 DOT k7GIL5VW024015 AT tigris DOT pounder DOT sol DOT net> <ebvsj3$bu7$1 AT sea DOT gmane DOT org> <200608162049 DOT k7GKnTTE024729 AT tigris DOT pounder DOT sol DOT net> <20060816211108 DOT GD27256 AT calimero DOT vinschen DOT de> <200608172349 DOT k7HNnaBK002833 AT tigris DOT pounder DOT sol DOT net> <20060818065817 DOT GP20467 AT calimero DOT vinschen DOT de> <200608181335 DOT k7IDZpmc008129 AT tigris DOT pounder DOT sol DOT net> <20060818142824 DOT GB18635 AT calimero DOT vinschen DOT de> <200608211613 DOT k7LGDQjH007124 AT tigris DOT pounder DOT sol DOT net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200608211613.k7LGDQjH007124@tigris.pounder.sol.net>
User-Agent: Mutt/1.4.2i
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Aug 21 11:13, Tom Rodman wrote:
> On Fri 8/18/06 16:28 +0200 cygwin AT cygwin DOT com wrote:
> > The trick using /etc/group only works for password-LESS authentication,
> > sorry for not mentioning it, but usually the problems reported here are
> > with passwordless authentication so I just assumed this is the case here, too.  
> 
> A trick using /etc/group *does* work for password authentication - at
> least for domain groups. We edit /etc/group, every day via a cron job -

Hmm, I'm a bit irritated since actually it can't work, at least not as
you'd expect.  If a user token created by a password logon is not matching
the groups you added it to, the token is treated as invalid.  This would
happen, for instance, if the authenticating application (say, sshd), uses
setgroups(2) with an entirely different set of groups.  The result is that
a new token is created in Cygwin, which has nothing to do with the 
orinal password token.  Especially the new token is missing the network
credentials and the user is again running in the wrong logon session.
This is all a bit tricky.  Right now, I don't know if it's possible to
create a token with network credentials at all.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/