X-Spam-Check-By: sourceware.org To: cygwin AT cygwin DOT com From: Andrew DeFaria Subject: Re: Shared home dir, samba workgroups and ssh Date: Tue, 17 Oct 2006 23:50:14 -0500 Lines: 97 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) In-Reply-To: X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Andrew DeFaria wrote: > Here's the story. I use Cygwin on my XP desktop. I like having a home > directory on Windows that is the same home directory on Unix/Linux > machines. Often companies offer access to your Unix/Linux home > directory via Samba. Also, often companies do not bother to set up a > Samba server wish participates in a domain, so the Samba server is > configured as being in a workgroup. > > Now for a long time I struggled with this. I would map // server>/ -> my H drive then mount the H drive as /home and > make sure my Cygwin /etc/password referred to my home directory of > /home/$USER. All is great. > > But when dealing with Samba servers who are configured into workgroups > innocuous activities in Cygwin would elicit permission denied > messages. For example, touching a file in the home directory and > indeed even vi'ing a file, etc. Creating a file within Windows > Explorer or using other Windows oriented tools would work just fine. > Files created on the Unix/Linux side would also work fine but when > looked at from Cygwin on the PC would have odd (read "nobody") > ownerships and permissions. > > Of course as Cygwin is often not supported by the typical company's IT > department and because many people do not attempt to utilize Cygwin > fully often requests for assistance and change fell on deaf ears... > > Eventually I figured out that my Windows SID in /etc/passwd is the SID > of my domain user and since the Samba server was not in the domain my > SID does not authenticate properly. Then I had a break through in that > I realized that I was using SMBNTSEC as well as NTSEC in my Cygwin > environment. I figured "Yeah I want to use the same Windows security > for SMB mounted drives too". This is where my problem lies and it's > because the Samba server configured by the client does not participate > in the Windows domain from which I've logged in. > > Now I'm pretty sure that Samba could be configured properly into a > Windows domain as Samba can be configured as a PDC or a BDC, but many > clients don't bother to go that far. So why is Windows able to deal > with this but not Cygwin? > > I believe that this is because within Samba a very basic approach is > kept towards storing of user identification information. Indeed basic > Samba just has an smbpasswd file which is much like your typical > Unix/Linux /etc/passwd file and it is not designed to carry extra > information about users and machine accounts as well as multiple > groups and trust associations, etc. Even Samba documents talks about > hooking Samba up to either LDAP or what they call a Trivial DataBase > (TDB) in order to store such additional Windows only information. > > So I thought the simple solution was to remove SMBNTSEC from my Cygwin > environment and all would be fine. And indeed it is! Well almost... > > Along comes ssh... So I like to use ssh to log into various Unix/Linux > systems as I work. And again I share my home directory between Windows > and Unix/Linux. Finally I like setting up passwordless public key ssh > login as I'm not one of those who likes having to type in his password > hundreds of times a day. But ssh's is picky about permissions of your > ~/.ssh and ~/.ssh/id_ key files. When ssh'ing from Cygwin to a > Unix/Linux box I am now receiving the following: > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > Permissions 0644 for '/home/x0062320/.ssh/id_rsa' are too open. > It is recommended that your private key files are NOT accessible by > others. > This private key will be ignored. > bad permissions: ignore key: /home/x0062320/.ssh/id_rsa > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > Permissions 0644 for '/home/x0062320/.ssh/id_dsa' are too open. > It is recommended that your private key files are NOT accessible by > others. > This private key will be ignored. > bad permissions: ignore key: /home/x0062320/.ssh/id_dsa > x0062320 AT stashu's password: > > And, of course, I need to type in my password again! What I believe is > happening is that because my home directory is SMB mounted and > SMBNTSEC is off then Cygwin reports that files like ~/.ssh/id_rsa are > 0644 even if I change them on Unix/Linux to 0600. So, for example: > > $ ls -l ~/.ssh/id_rsa > -rw------- 1 x0062320 generic 887 Aug 31 16:43 > /home/x0062320/.ssh/id_rsa > > While: > > $ ls -l ~/.ssh/id_rsa > -rw-r--r-- 1 x0062320 Domain Users 887 Aug 31 16:43 > /home/x0062320/.ssh/id_rsa > > Is there any way to work around this problem (short of reconfiguring > the Samba server)? Anybody care to venture a guess here? Is my suspicions about SMBNTSEC correct? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/