X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Sun, 20 Jul 2008 14:27:54 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server 	account [SOLVED])
Message-ID: <20080720122754.GP5675@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <3B3EFBD49B94AD4DBB7B7097257A8046DD020D AT FDSVAST06SXCH01 DOT flooddata DOT net> <Pine DOT GSO DOT 4 DOT 63 DOT 0805121820090 DOT 11953 AT access1 DOT cims DOT nyu DOT edu> <20080513073720 DOT GA22193 AT calimero DOT vinschen DOT de> <3B3EFBD49B94AD4DBB7B7097257A8046DD02FC AT FDSVAST06SXCH01 DOT flooddata DOT net> <20080616210105 DOT GI731 AT calimero DOT vinschen DOT de> <20080616211352 DOT GK731 AT calimero DOT vinschen DOT de> <48821B9F DOT 6070907 AT cwilson DOT fastmail DOT fm> <20080719171235 DOT GO5675 AT calimero DOT vinschen DOT de> <488252B5 DOT 8000501 AT cwilson DOT fastmail DOT fm>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <488252B5.8000501@cwilson.fastmail.fm>
User-Agent: Mutt/1.5.16 (2007-06-09)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Jul 19 16:46, Charles Wilson wrote:
> Corinna Vinschen wrote:
>
>> However, I sent a second patch in
>> http://cygwin.com/ml/cygwin/2008-06/msg00453.html
>> The Interactive Logon Right is also necessary for this account.
>
> I don't know why I missed that. I'll roll 0.1.6 soon.

Thanks.

>> What also doesn't work well is this:  In a domain I might want a
>> cyg_server domain account, rather than a local account on each
>> machine.  The reason is that the rights of the domain account can
>> be nicely controlled via group policy.  That won't work for local
>> accounts on the domain member machines.  Therefore, if a cyg_server
>> account exists in /etc/passwd, I think it should be used.
>
> I'm afraid I have no access to a domain account on which I can test this 
> sort of thing (I mean, I /do/ have a domain account at work, but I can't 
> experiment with adding new domain accounts, nor manipulate their 
> privileges.
> [...]
> I imagine you are suggesting that the following loop:
>
>       for username in cyg_server cron_server sshd_server
>       do
>         if net user "${username}" 1> /dev/null 2>&1
>         then
>           [ -z "${first_account}" ] && first_account="${username}"
>           accounts="${accounts}'${username}' "
>         fi
>       done
>
> Should be modified somehow, perhaps (UNTESTED):
>
>       for username in cyg_server cron_server sshd_server
>       do
>         if egrep "^${username}:" /etc/passwd 1>/dev/null 2>&1 ||
>            net user "${username}" 1> /dev/null 2>&1
>         then
>           [ -z "${first_account}" ] && first_account="${username}"
>           accounts="${accounts}'${username}' "
>         fi
>       done

Along these lines, yes.  I also think that using the cyg_server/
cron_server/sshd_server account should be preferred over SYSTEM on XP
and earlier systems, at least if they are domain member machines.  Maybe
simply like this:  The test should run on any OS, but if none of the
accounts exists, the fallback for XP and earlier is SYSTEM.  IIUC, that's
not quite what $csih_FORCE_PRIVILEGED_USER is for.  Yes?  No?

As for creating an account in a domain if it doesn't exists, that's
probably nothing which should be done in the script.  If this feature
is used, the domain admins should know what they are doing, I guess.

> However, note that at present there is no provision in csih to "decorate" 
> user names with domain information (e.g. username="MyDomain\cyg_server".  
> It /might/ work, if you manually set csih_PRIVILEGED_USERNAME that way, but 
> I haven't tested it -- and have no way to do so. It would be serendipitous 
> at best if that worked. But I'm not sure you really /need/ that -- if the 
> privileged domain user is in the active domain of the computer on which you 
> want to use that privileged account (e.g. to run sshd)...which I imagine is 
> the use case under consideration here...I don't think you really /need/ to 
> explicitly specify the domain.

That's not quite correct.  When specifying the user running a service,
you have to specify the full qualified user name.  If you just enter
the name w/o domain it fails with a "no such (local) account" sort of
message.

However, assuming the /etc/passwd entry for that user is correct, you
don't need to specify the domain because cygrunsrv translates the Cygwin
username to the Windows domain\username automatically.  So, using the
above egrep and using that user should be sufficient.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/