X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Mon, 11 May 2009 10:08:11 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: ssh, smbntsec, mounted home directory - is it possible
Message-ID: <20090511080810.GW21324@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <gu0hcm$dc4$1 AT ger DOT gmane DOT org> <gu6scm$o1f$1 AT ger DOT gmane DOT org> <4A075F01 DOT 2080103 AT gmail DOT com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4A075F01.2080103@gmail.com>
User-Agent: Mutt/1.5.19 (2009-02-20)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On May 11 00:10, Dave Korn wrote:
> Andrew DeFaria wrote:
> 
> >> So to recap: I'd like to provide pre-shared key ssh access to a
> >> particular username. I cannot, however, use an SMB shared home directory
> >> for that user without encountering problems with ssh and permissions.
> >>
> >> If the above statement is not true and you have any ideas on how to
> >> achieve these objectives then let me know.
> >>   
> > Anybody care to comment or at least acknowledge this issue?
> 
>   The above statement is, unfortunately, true.  IIUC, until you can use 1.7
> with the lsa auth plugin (or perhaps this password caching feature, I'm not
> familiar with it), any user logging in by ssh key does not really log in as
> the actual windows user they are trying to be, but impersonates (after some
> fashion - it might not actually be token impersonation in the win32 api sense
> of the word) that user, while actually really being the ssh user underneath.
> 
>   I could be wrong.  I hope someone will jump in if I've seriously mis-spoke,
> but I think at least I'm pointing you in the right ball-park.

It's basically correct but it's a bit more complicated for a weird reason
which has to do with how Windows handles logon sessions.  Reading
http://cygwin.com/1.7/cygwin-ug-net/ntsec.html#ntsec-nopasswd1 might
sched some light.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/