X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-1.3 required=5.0 	tests=AWL,BAYES_00,FB_WORD1_END_DOLLAR,SARE_MSGID_LONG40,SPF_PASS
X-Spam-Check-By: sourceware.org
MIME-Version: 1.0
In-Reply-To: <20100108145957.GB23992@calimero.vinschen.de>
References: <aed63dd41001071133x630df0d8p6ad66d9b66d4fc03 AT mail DOT gmail DOT com> 	 <20100108145957 DOT GB23992 AT calimero DOT vinschen DOT de>
Date: Fri, 8 Jan 2010 13:58:51 -0500
Message-ID: <aed63dd41001081058m60f920b7h894a8005d4a697c0@mail.gmail.com>
Subject: Re: Why you can't load ws2_32.dll (was Re: Can't use key  	authentication on x64 Server 2003 R2)
From: Greg Fury <gregfury AT gmail DOT com>
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Thank you for the quick and comprehensive response!=A0 When
troubleshooting Windows, I feel like I have blinders on.=A0 Thanks for
opening my eyes.

I will give this technique a try.

-Greg


On Fri, Jan 8, 2010 at 9:59 AM, Corinna Vinschen
<corinna-cygwin AT cygwin DOT com> wrote:
>
>
> > linux$ ssh user AT host1-w2k3 pwd
> > =A0 =A0 =A020 [main] sshd 244 D:\cygwin-1.7\usr\sbin\sshd.exe: *** fatal
> > error - could not load user32, Win32 error 1114
>
> I can't reproduce this one, but I can reproduce the other problem
> with pubkey authentication reported =A0in this thread:
>
> =A0 # ssh foo AT bar
> =A0 Last login: [...]
> =A0 =A0 =A0 =A0 =A01 [main] -bash 6832 C:\cygwin\bin\bash.exe: *** fatal =
error -
> =A0 couldn't dynamically determine load address for 'WSAGetLastError'
> =A0 (handle 0xFFFFFFFF), Win32 error 126
> =A0 Connection to bar closed.
>
> The problem is this:
>
> If you're running in a domain, then the account running the sshd service
> must be a member of the domain as well. =A0Instead of creating a local
> cyg_server account, you must create a domain account called cyg_server
> with the specific rights required to create a user token, add it to the
> /etc/passwd file of the machine on which you want to install sshd, and
> *then* run ssh-host-config on that machine.
>
> If you did that, the ssh-host-config script will note that such an
> account exists in /etc/passwd and will offer to use that account for the
> sshd service.
>
> Ok, back to square one. =A0Assume you're using a local cyg_server account,
> and you're using the default method of switching the user context
> without password according to Method 1(*). =A0That means, Cygwin has to
> create a user token from scratch.
>
> Now you try to ssh into the machine with a domain account. =A0cyg_server
> is a local machine account. =A0Thus it is not known to the DC. =A0However,
> the incoming ssh connection requests a logon for a domain account.
>
> To be able to create a matching user token, sshd has to access the DC
> and fetch the user information for that account. =A0But the DC doesn't
> know the cyg_server account under which the calling process is running,
> so it refuses to deliver the information for security reasons.
>
> So cyg_server gets no information about that account. =A0It has to fall
> back to the information in /etc/passwd and /etc/group. =A0From that it
> constructs a crippled user token which only contains the SID of the user
> and the SID of the primary group, plus the well-known SIDs for the LOCAL
> and the INTERACTIVE group.
>
> Now let's have a look into the default permissions of ws2_32.dll on
> a Windows Server 2003:
>
> =A0$ cacls C:/WINDOWS/system32/ws2_32.dll
> =A0C:\WINDOWS\system32\ws2_32.dll BUILTIN\Users:R
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 BUILTIN\P=
ower Users:R
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 BUILTIN\A=
dministrators:F
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 NT AUTHOR=
ITY\SYSTEM:F
>
> Oh, too bad. =A0None of these groups is in the user token of the just
> logged on user. =A0Bingo.
>
> So, bottom line is, the most important thing to keep in mind is that you
> must use a domain cyg_server account to run sshd under, to be able to
> correctly log on with domain accounts using password-less logon Method 1(=
*).
> Additionally you have to create a domain policy so that the special
> permissions required to create a user token(*) are propagated to the
> machines which are supposed to run sshd. =A0Fortunately, since that's how
> domains work, you only have to do this once on the DC.
>
> Nevertheless, having said that, I'm wondering if we should always add
> the local BUILTIN\Users group to a user token, if we failed to fetch the
> user information from the DC...
>
>
> HTH,
> Corinna
>
>
> (*) http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1
>
>
> --
> Corinna Vinschen =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Please, send mails re=
garding Cygwin to
> Cygwin Project Co-Leader =A0 =A0 =A0 =A0 =A0cygwin AT cygwin DOT com
> Red Hat
>
> --
> Problem reports: =A0 =A0 =A0 http://cygwin.com/problems.html
> FAQ: =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 http://cygwin.com/faq/
> Documentation: =A0 =A0 =A0 =A0 http://cygwin.com/docs.html
> Unsubscribe info: =A0 =A0 =A0http://cygwin.com/ml/#unsubscribe-simple
>



--

-Greg

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple