X-Spam-Check-By: sourceware.org Message-ID: <44F6293F.2050603@asperasoft.com> Date: Wed, 30 Aug 2006 17:11:43 -0700 From: Serban Simu User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=_zob.asperasoft.com-21200-1156979468-0001-2" To: cygwin AT cygwin DOT com Subject: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth) Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com --=_zob.asperasoft.com-21200-1156979468-0001-2 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 7bit /I'm attaching the whoami results: whoami-win.txt - whoami ran when logged on the Windows computer directly (both OFFICE\test1 and SM2WIN2003\local1) whoami-ssh.txt - whoami ran while ssh-ed in as the user test1 (in both cases, with and without the Test User group in /etc/group) and user local1 The interesting observations are: - when ssh-ed as user test1, the SID reported by whoami is the correct SID of the user in both cases. In one case the name is correct, in the other the name is sshd_server - when ssh-ed as user test1 with the stripped off /etc/group such that whoami displays the right user, the group information is almost identical to whoami ran logged on directly through Windows, with the exception of group LOCAL, missing. (also forgot to mention, the credit for the idea of stripping off /etc/group goes to Dave Perdue) From/: "Larry Hall (Cygwin)" / To/: cygwin at cygwin dot com/ Date/: Wed, 30 Aug 2006 17:54:57 -0400/ Subject/: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)/ References/: <44F5FD93 DOT 1020503 AT asperasoft DOT com >/ Reply-to/: cygwin at cygwin dot com Serban Simu wrote: I did notice a number of postings around this subject, but couldn't see a resolution (Corinna answered a Feb '06 posting by Dave Perdue that the problem should be fixed in 1.5.20, which is why I'm reposting for 1.5.21). I am exclusively using password auth (and am aware of the pubkey auth limitations). The basic setup is a Win 2003 R2 standard server, member of a domain (machine name is SM2WIN2003 and domain is OFFICE). Installed 1.5.21 and ran ssh-host-config. All goes well and I have sshd service running as local user sshd_server. Then ran mkpasswd and mkgroup: mkpasswd -l > /etc/passwd mkpasswd -d >> /etc/passwd (I only have one domain so this is same as mkpasswd -d OFFICE) mkgroup -l > /etc/group mkgroup -d >> /etc/group If I ssh as a local user "local1", windows whoami returns sm2win2003\local1 If I ssh as domain user "test1", windows whoami returns sm2win2003\sshd_server (BAD) If I strip the /etc/group file to only: SYSTEM:S-1-5-18:18: None:S-1-5-21-3712540747-3723856708-2352634044-513:513: Domain Users:S-1-5-21-4293257363-1756470469-1603820055-513:10513: Then ssh as domain user "test1", windows whoami returns office\test1 (GOOD) Now, I tried adding the minimum possible to /etc/group to create the problem, so if I just add one line: SYSTEM:S-1-5-18:18: None:S-1-5-21-3712540747-3723856708-2352634044-513:513: Domain Users:S-1-5-21-4293257363-1756470469-1603820055-513:10513: Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123: Then ssh as domain user "test1", windows whoami returns sm2win2003\sshd_server (BAD) My domain user test1 is a member of domain group Test Users. So my questions would be: (1) I did find a work around, but what is the explanation of this problem and what is a good, solid work around? (2) Is there a way and a plan to straighten this behavior, and maybe document the usage in Win 2003 domain environments (I'm assuming that most people would be interested in accessing network resources in Win 2003 domains, which is why this is a problem in the first place) Also, I believe that I didn't have this problem on older Win 2003 (before R2), but I no longer have a test setup to confirm it. Attached is the full "whoami /all" output and cygcheck.out. Interesting results. It would be interesting to see what "whoami /all" reports for these users locally as well, without the sshd "filter". I expect the issue at hand here is that one group for each user is the primary group. My WAG is that "Test Users" is the primary group for the user "test1". Off the top of my head, it's not clear how adding the group to the '/etc/group' file changes things though. -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746 --=_zob.asperasoft.com-21200-1156979468-0001-2 Content-Type: text/plain; name="whoami-win.txt"; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="whoami-win.txt" ########################################################################## # Locally logged in user OFFICE\test1 # ########################################################################## USER INFORMATION ---------------- User Name SID ============ ============================================== office\test1 S-1-5-21-4293257363-1756470469-1603820055-1125 GROUP INFORMATION ----------------- Group Name Type SID Attributes ================================ ================ ============================================== =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group OFFICE\Test Users Group S-1-5-21-4293257363-1756470469-1603820055-1123 Mandatory group, Enabled by default, Enabled group PRIVILEGES INFORMATION ---------------------- Privilege Name Description State =============================== ========================================= ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeSecurityPrivilege Manage auditing and security log Disabled SeBackupPrivilege Back up files and directories Disabled SeRestorePrivilege Restore files and directories Disabled SeSystemtimePrivilege Change the system time Disabled SeShutdownPrivilege Shut down the system Disabled SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled SeDebugPrivilege Debug programs Disabled SeSystemEnvironmentPrivilege Modify firmware environment values Disabled SeSystemProfilePrivilege Profile system performance Disabled SeProfileSingleProcessPrivilege Profile single process Disabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled SeLoadDriverPrivilege Load and unload device drivers Disabled SeCreatePagefilePrivilege Create a pagefile Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeUndockPrivilege Remove computer from docking station Disabled SeManageVolumePrivilege Perform volume maintenance tasks Disabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled ########################################################################## # Locally logged in user SM2WIN2003\local1 # ########################################################################## USER INFORMATION ---------------- User Name SID ================= ============================================== sm2win2003\local1 S-1-5-21-3712540747-3723856708-2352634044-1009 GROUP INFORMATION ----------------- Group Name Type SID Attributes ================================ ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ======================= ======================== ======= SeChangeNotifyPrivilege Bypass traverse checking Enabled --=_zob.asperasoft.com-21200-1156979468-0001-2 Content-Type: text/plain; name="whoami-ssh.txt"; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="whoami-ssh.txt" ##################################################################### # LOGIN AS LOCAL USER local1 # ##################################################################### C:\>ssh local1 AT 192 DOT 168 DOT 3 DOT 54 local1 AT 192 DOT 168 DOT 3 DOT 54's password: local1 AT sm2win2003 ~$ C:/windows/system32/whoami /all USER INFORMATION ---------------- User Name SID ================= ============================================== sm2win2003\local1 S-1-5-21-3712540747-3723856708-2352634044-1009 GROUP INFORMATION ----------------- Group Name Type SID Attributes ================================ ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ======================= ======================== ======= SeChangeNotifyPrivilege Bypass traverse checking Enabled local1 AT sm2win2003 ~ $ exit logout Connection to 192.168.3.54 closed. ##################################################################### # LOGIN AS DOMAIN USER test1 (/etc/group has Test Users) # ##################################################################### C:\>ssh test1 AT 192 DOT 168 DOT 3 DOT 54 test1 AT 192 DOT 168 DOT 3 DOT 54's password: Last login: Wed Aug 30 11:43:21 2006 from 192.168.1.12 test1 AT sm2win2003 ~$ c:/windows/system32/whoami /all USER INFORMATION ---------------- User Name SID ====================== ============================================== sm2win2003\sshd_server S-1-5-21-4293257363-1756470469-1603820055-1125 GROUP INFORMATION ----------------- Group Name Type SID Attributes ================================ ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group PRIVILEGES INFORMATION ---------------------- Privilege Name Description State =============================== ========================================= ======= SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeSecurityPrivilege Manage auditing and security log Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeSystemtimePrivilege Change the system time Enabled SeShutdownPrivilege Shut down the system Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeDebugPrivilege Debug programs Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Enabled SeSystemProfilePrivilege Profile system performance Enabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeUndockPrivilege Remove computer from docking station Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled test1 AT sm2win2003 ~ $ exit logout Connection to 192.168.3.54 closed. ##################################################################### # LOGIN AS DOMAIN USER test1 (/etc/group doesn't have Test Users) # ##################################################################### C:\Documents and Settings\asp1\Desktop>ssh test1 AT 192 DOT 168 DOT 3 DOT 54 test1 AT 192 DOT 168 DOT 3 DOT 54's password: Last login: Wed Aug 30 13:05:37 2006 from 192.168.1.12 test1 AT sm2win2003 ~ $ c:/windows/system32/whoami /all USER INFORMATION ---------------- User Name SID ============ ============================================== office\test1 S-1-5-21-4293257363-1756470469-1603820055-1125 GROUP INFORMATION ----------------- Group Name Type SID Attributes ================================ ================ ===================================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group OFFICE\Test Users Group S-1-5-21-4293257363-1756470469-1603820055-1123 Mandatory group, Enabled by default, Enabled group PRIVILEGES INFORMATION ---------------------- Privilege Name Description State =============================== ========================================= ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeSecurityPrivilege Manage auditing and security log Disabled SeBackupPrivilege Back up files and directories Disabled SeRestorePrivilege Restore files and directories Disabled SeSystemtimePrivilege Change the system time Disabled SeShutdownPrivilege Shut down the system Disabled SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled SeDebugPrivilege Debug programs Disabled SeSystemEnvironmentPrivilege Modify firmware environment values Disabled SeSystemProfilePrivilege Profile system performance Disabled SeProfileSingleProcessPrivilege Profile single process Disabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled SeLoadDriverPrivilege Load and unload device drivers Disabled SeCreatePagefilePrivilege Create a pagefile Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeUndockPrivilege Remove computer from docking station Disabled SeManageVolumePrivilege Perform volume maintenance tasks Disabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled test1 AT sm2win2003 ~ $ exit logout Connection to 192.168.3.54 closed. --=_zob.asperasoft.com-21200-1156979468-0001-2 Content-Type: text/plain; charset=us-ascii -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ --=_zob.asperasoft.com-21200-1156979468-0001-2--