X-Recipient: archive-cygwin AT delorie DOT com X-Spam-Check-By: sourceware.org Date: Wed, 24 Jun 2009 11:24:56 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: [1.7] sshd dc problem Message-ID: <20090624092456.GD7289@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <6910a60906220848l6470a9cl44094f8bd93555ea AT mail DOT gmail DOT com> <20090623100826 DOT GG5039 AT calimero DOT vinschen DOT de> <6910a60906240145i5a95cba9s948b181158a960e9 AT mail DOT gmail DOT com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <6910a60906240145i5a95cba9s948b181158a960e9@mail.gmail.com> User-Agent: Mutt/1.5.19 (2009-02-20) Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com On Jun 24 10:45, Reini Urban wrote: > 2009/6/23 Corinna Vinschen: > > On Jun 22 17:48, Reini Urban wrote: > >> I should be able to login with pubkey to my box with sshd when windows > >> lets me in also. > > > > That's easier said than done. > > > > Apparently your laptop is configured to allow using cached credentials > > which are used by the machine if it can't connect to a DC. The token > > information (groups/privileges) is also cached somewhere in a > > non-documented storage. Whatever Windows is using, it's not accessible > > for Cygwin. At least I don't know how to do it. > > Is it possible to detect that one is logged in with a cached > credential at least? I don't know. I don't think so. And even then there's the problem that more than one user session can be active, so you would have to find the right one first. Hmm. Come to think of it, what Cygwin could try starting with Windows XP is to use Terminal Service functions to see if the user is already logged in, and if so, use that user's token for the setuid call. I never tried that before, so I don't know if that works as desired. Anyway, that's something to try for a later version of Cygwin. > Then the failing initgroups DcGetDcName(PDC_REQUIRED) can be made non-fatal. > Or maybe there's a PDC_OPTIONAL I'm not requiring the PDC, at least post-NT4. The function calls DsGetDcNameW asking for any DC. If that fails, it just tries it again with the DS_FORCE_REDISCOVERY flag. > > So, for the time being, the workaround to get a user token is thus: > > > > 1. I'll patch Cygwin to ignore the fact that the group information > > couldn't be fetched from the server. > > Great! > > > 2. Either you're happy with a restricted token, > > Restricted token is okay for me. It's *very* restricted. It only contains the barest groups, plus "Users" and your primary domain group as set in /etc/passwd. If you need more supplementary groups, you have to add yourself to the respective /etc/group entries. > > > or you use the new logon > > method 3 as described in > > http://cygwin.com/1.7/cygwin-ug-net/ntsec.html#ntsec-setuid-overview > > This results in getting a token right from Windows based on the > > cached credentials. > > I'll try password auth then, thanks Using password auth doesn't solve the initgroups problem, unfortunately. You'll still need the aforementioned patch to Cygwin. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple