X-Spam-Check-By: sourceware.org
Message-ID: <44F715E7.6070609@cygwin.com>
Date: Thu, 31 Aug 2006 13:01:27 -0400
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.5) Gecko/20060727 Fedora/1.5.0.5-1.fc4.remi Thunderbird/1.5.0.5 Mnenhy/0.7.4.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server  (password  auth)
References: <44F5FD93 DOT 1020503 AT asperasoft DOT com> <20060831161354 DOT GR20467 AT calimero DOT vinschen DOT de>
In-Reply-To: <20060831161354.GR20467@calimero.vinschen.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Corinna Vinschen wrote:
> On Aug 30 14:05, Serban Simu wrote:
>> So my questions would be:
>>
>> (1) I did find a work around, but what is the explanation of this 
>> problem and what is a good, solid work around?
> 
> After some debugging I found that the explanation is that sshd drops
> all supplementary groups from the otherwise privileged user token. 
> This results in a minimized user token when calling initgroups, which
> in turn calls NetUserGetGroups, which in turn returns "Access denied".
> The solution is to drop back to the original process token before
> calling NetUserGetGroups from initgroups.  I've checked in a patch
> which should be available in the next developers snapshot from
> http://cygwin.com/snapshots/
> 
> A solid workaround if you're trying to get the same with the current
> Cygwin:  Add all users which want to log in this way to the gr_mem
> field of the approrpiate groups in /etc/group.  In your example case,
> it would look like this:
> 
> Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:test1


Nice work!  I recommend a new gold star! :-)


-- 
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
216 Dalton Rd.                          (508) 893-9889 - FAX
Holliston, MA 01746

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/