X-Spam-Check-By: sourceware.org X-Copfilter: Sender is in whitelist, skipped SpamAssassin X-Filtered-With-Copfilter: Version 0.82.1 (ProxSMTP 1.3.91) X-Copfilter: Client is part of our network, skipped SpamAssassin Message-ID: <45208BBE.30807@asperasoft.com> Date: Sun, 01 Oct 2006 20:47:10 -0700 From: Serban Simu User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=_zob.asperasoft.com-23547-1159756744-0001-2" To: cygwin AT cygwin DOT com Subject: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth) Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com --=_zob.asperasoft.com-23547-1159756744-0001-2 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 7bit I got a chance to test the snapshot 2006-09-07. It does behave differently, but still doesn't solve the problem. whoami now shows user nt authority\system, whereas before the patch it showed sshd_server. Both the snapshot and 1.5.21 show the correct SID for the domain user. I also verified that if I add the user name explicitly to /etc/group for each group it belongs to, other than the primary group, whoami reports the correct domain user and access to network resources works properly. Also, users that don't belong to any groups other than their primary group (which seems to be Domain Users by default), don't exhibit this problem (this is just a particular case of the previous statement). Attached is the whoami output for the Windows 2003 computer running 1.5.21 plus the snapshot. If I can be of any help narrowing this down, please let me know. - Serban From: Corinna Vinschen To: cygwin at cygwin dot com Date: Thu, 31 Aug 2006 18:13:55 +0200 Subject: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth) References: <44F5FD93 DOT 1020503 AT asperasoft DOT com > Reply-to: cygwin at cygwin dot com On Aug 30 14:05, Serban Simu wrote: So my questions would be: (1) I did find a work around, but what is the explanation of this problem and what is a good, solid work around? After some debugging I found that the explanation is that sshd drops all supplementary groups from the otherwise privileged user token. This results in a minimized user token when calling initgroups, which in turn calls NetUserGetGroups, which in turn returns "Access denied". The solution is to drop back to the original process token before calling NetUserGetGroups from initgroups. I've checked in a patch which should be available in the next developers snapshot from http://cygwin.com/snapshots/ A solid workaround if you're trying to get the same with the current Cygwin: Add all users which want to log in this way to the gr_mem field of the approrpiate groups in /etc/group. In your example case, it would look like this: Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:test1 Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- - Serban Simu Aspera Inc., Berkeley CA http://www.asperasoft.com serban AT asperasoft DOT com (510) 849-2386 --=_zob.asperasoft.com-23547-1159756744-0001-2 Content-Type: text/plain; name="whoami-snap.txt"; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="whoami-snap.txt" C:\aspera>ssh serban AT 192 DOT 168 DOT 1 DOT 171 serban AT 192 DOT 168 DOT 1 DOT 171's password: Last login: Fri Sep 29 11:16:35 2006 from olp serban AT olp-w2003 ~ $ c:/windows/system32/whoami.exe /all USER INFORMATION ---------------- User Name SID =================== ============================================== nt authority\system S-1-5-21-4293257363-1756470469-1603820055-1107 GROUP INFORMATION ----------------- Group Name Type SID Attributes ================================ ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ======================= ======================== ======= SeChangeNotifyPrivilege Bypass traverse checking Enabled --=_zob.asperasoft.com-23547-1159756744-0001-2 Content-Type: text/plain; charset=us-ascii -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ --=_zob.asperasoft.com-23547-1159756744-0001-2--