X-Spam-Check-By: sourceware.org Message-ID: <45315EA8.8060203@cygwin.com> Date: Sat, 14 Oct 2006 18:03:20 -0400 From: "Larry Hall (Cygwin)" Reply-To: cygwin AT cygwin DOT com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060916 Fedora/1.5.0.7-1.fc4.remi Thunderbird/1.5.0.7 Mnenhy/0.7.4.0 MIME-Version: 1.0 To: cygwin AT cygwin DOT com Subject: Re: Shared home dir, samba workgroups and ssh References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Andrew DeFaria wrote: > Here's the story. I use Cygwin on my XP desktop. I like having a home > directory on Windows that is the same home directory on Unix/Linux > machines. Often companies offer access to your Unix/Linux home directory > via Samba. Also, often companies do not bother to set up a Samba server > wish participates in a domain, so the Samba server is configured as > being in a workgroup. > > Now for a long time I struggled with this. I would map // server>/ -> my H drive then mount the H drive as /home and > make sure my Cygwin /etc/password referred to my home directory of > /home/$USER. All is great. > > But when dealing with Samba servers who are configured into workgroups > innocuous activities in Cygwin would elicit permission denied messages. > For example, touching a file in the home directory and indeed even > vi'ing a file, etc. Creating a file within Windows Explorer or using > other Windows oriented tools would work just fine. Files created on the > Unix/Linux side would also work fine but when looked at from Cygwin on > the PC would have odd (read "nobody") ownerships and permissions. > > Of course as Cygwin is often not supported by the typical company's IT > department and because many people do not attempt to utilize Cygwin > fully often requests for assistance and change fell on deaf ears... > > Eventually I figured out that my Windows SID in /etc/passwd is the SID > of my domain user and since the Samba server was not in the domain my > SID does not authenticate properly. Then I had a break through in that I > realized that I was using SMBNTSEC as well as NTSEC in my Cygwin > environment. I figured "Yeah I want to use the same Windows security for > SMB mounted drives too". This is where my problem lies and it's because > the Samba server configured by the client does not participate in the > Windows domain from which I've logged in. > > Now I'm pretty sure that Samba could be configured properly into a > Windows domain as Samba can be configured as a PDC or a BDC, but many > clients don't bother to go that far. So why is Windows able to deal with > this but not Cygwin? > > I believe that this is because within Samba a very basic approach is > kept towards storing of user identification information. Indeed basic > Samba just has an smbpasswd file which is much like your typical > Unix/Linux /etc/passwd file and it is not designed to carry extra > information about users and machine accounts as well as multiple groups > and trust associations, etc. Even Samba documents talks about hooking > Samba up to either LDAP or what they call a Trivial DataBase (TDB) in > order to store such additional Windows only information. > > So I thought the simple solution was to remove SMBNTSEC from my Cygwin > environment and all would be fine. And indeed it is! Well almost... > > Along comes ssh... So I like to use ssh to log into various Unix/Linux > systems as I work. And again I share my home directory between Windows > and Unix/Linux. Finally I like setting up passwordless public key ssh > login as I'm not one of those who likes having to type in his password > hundreds of times a day. But ssh's is picky about permissions of your > ~/.ssh and ~/.ssh/id_ key files. When ssh'ing from Cygwin to a > Unix/Linux box I am now receiving the following: > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > Permissions 0644 for '/home/x0062320/.ssh/id_rsa' are too open. > It is recommended that your private key files are NOT accessible by > others. > This private key will be ignored. > bad permissions: ignore key: /home/x0062320/.ssh/id_rsa > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > Permissions 0644 for '/home/x0062320/.ssh/id_dsa' are too open. > It is recommended that your private key files are NOT accessible by > others. > This private key will be ignored. > bad permissions: ignore key: /home/x0062320/.ssh/id_dsa > x0062320 AT stashu's password: > > And, of course, I need to type in my password again! What I believe is > happening is that because my home directory is SMB mounted and SMBNTSEC > is off then Cygwin reports that files like ~/.ssh/id_rsa are 0644 even > if I change them on Unix/Linux to 0600. So, for example: > > $ ls -l ~/.ssh/id_rsa > -rw------- 1 x0062320 generic 887 Aug 31 16:43 > /home/x0062320/.ssh/id_rsa > > While: > > $ ls -l ~/.ssh/id_rsa > -rw-r--r-- 1 x0062320 Domain Users 887 Aug 31 16:43 > /home/x0062320/.ssh/id_rsa > > Is there any way to work around this problem (short of reconfiguring the > Samba server)? > Not that I know of, no. You'd need to turn off "StrictModes" in the server for this to work. An alternative might be for you to mount your .ssh directory to something local. -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746 -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/