X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Tue, 21 Apr 2009 17:31:41 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: [openssh] service with domain user
Message-ID: <20090421153141.GI8722@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <af075b00904210656p2e8005b6geaad28206f89c121 AT mail DOT gmail DOT com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <af075b00904210656p2e8005b6geaad28206f89c121@mail.gmail.com>
User-Agent: Mutt/1.5.19 (2009-02-20)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Apr 21 14:56, Julio Costa wrote:
> Hi Cygwinners,
> 
> I've been struggling with an openssh instalation in a test
> environment, with the following characteristics:
> 1) Host is a Windows 2003 sp2; So, privsep is enforced;
> 2) Installation of cygwin made with a domain user (local admin);
> 3) Main objective of sshd: file transfers and remote shell for either
> domain users (regular or admin) and local users (restricted only);
> 
> After many tries and tests, I've come to the conclusion that for
> achieving 3), the sshd deamon should run with a domain user; no
> problem, we allocated one for that purpose.
> But now I can't make ssh(d) work correctly. I used the "trick" of
> adding the domain user to passwd and renaming it to cyg_server, and
> indeed the service got installed with the correct domain user, no
> questions asked (thanks, Corinna!).
> But, that's the end of the story.
> I can't make ssh work, and typically the message I see in logs is like
> this: "sshd: PID 3572: fatal: seteuid 18606: Permission denied"
> 
> I thought that the correct permissions/privileges were assigned in the
> ssh-host-config... isn't that so? How do I find what is missing?

No, ssh-host-config can only set the user rights for the local account,
and it only does so if it has been asked to create the account.  If you
pre-create the account (as you have to do if you use a domain account),
you're responsible to give it the necessary rights yourself.

I, for one, created a cyg_server account using ssh-host-config on the 
domain controller, then created a domain policy to propagate the
necessary permissions to other machines in the domain.  You can also
create the important rights(*) for this user on a per-machine base
using editrights or native Windows tools.


Corinna

(*) Act as part of the operating system,
    Create a token object,
    Replace a process level token
    Log on as a service

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/