Message-ID: <4B5CE93D.9050603@eburg.com>
Date: Sun, 24 Jan 2010 16:43:41 -0800
From: Gordon Messmer <yinyang AT eburg DOT com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.7) Gecko/20100120 Fedora/3.0.1-1.fc12 Thunderbird/3.0.1
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Why you can't load ws2_32.dll (was Re: Can't use key  authentication  on x64 Server 2003 R2)
References: <aed63dd41001071133x630df0d8p6ad66d9b66d4fc03 AT mail DOT gmail DOT com> <20100108145957 DOT GB23992 AT calimero DOT vinschen DOT de>
In-Reply-To: <20100108145957.GB23992@calimero.vinschen.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com

On 01/08/2010 06:59 AM, Corinna Vinschen wrote:
> I can't reproduce this one, but I can reproduce the other problem
> with pubkey authentication reported  in this thread:
...

I appreciate the time you took to explain this problem.  I've been 
working on it for a while, and still can't get it right.

> If you're running in a domain, then the account running the sshd service
> must be a member of the domain as well.  Instead of creating a local
> cyg_server account, you must create a domain account called cyg_server
> with the specific rights required to create a user token, add it to the
> /etc/passwd file of the machine on which you want to install sshd, and
> *then* run ssh-host-config on that machine.

I've created a "cyg_server" account on my domain controller and added it 
to the password file using:

mkpasswd -d -u cyg_server >> /etc/passwd

First I tried granting the required permissions manually in the domain 
policy.  When that didn't work, I used "editrights" as in 
cygwin-service-installation-helper.sh to set the rights in the local 
policy.  As far as I can tell, I get identical results.

Rights during my most recent test were:

$ editrights.exe -l -u cyg_server
SeAssignPrimaryTokenPrivilege
SeCreateTokenPrivilege
SeTcbPrivilege
SeServiceLogonRight
SeDenyRemoteInteractiveLogonRight

> If you did that, the ssh-host-config script will note that such an
> account exists in /etc/passwd and will offer to use that account for the
> sshd service.

Hopefully I did something as simple as adding the account to the 
password file incorrectly.  When I run ssh-host-config, I get the 
following warning:

*** Warning: cyg_server is in /etc/passwd, but the local
*** Warning: machine's SAM does not know about cyg_server.
*** Warning: Perhaps cyg_server is a pre-existing domain account.
*** Warning: Continuing, but check if this is ok.

Regardless, I can use the account and sshd will run.  When I log in with 
a password, I get a shell, but I see this warning:

  1 [main] sshd 2724 spawn_guts: CreateWindowStation failed, Win32 error 5

If I log in with a key, the server just drops the connection.  The 
(Linux) client reports:
Connection closed by 192.168.99.6

The server's event log indicates:

The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. 
The local computer may not have the necessary registry information or 
message DLL files to display messages from a remote computer. You may be 
able to use the /AUXSOURCE= flag to retrieve this description; see Help 
and Support for details. The following information is part of the event: 
sshd: PID 6632: fatal: seteuid 11287: Permission denied.

The event viewer indicates that the user is DOMAIN\cyg_server, which is 
the same username that appears in the Local Security Settings admin tool.

Does anyone have any specific advice for using a domain member account 
(DOMAIN\cyg_server) to run sshd?  Without that, it seems I can't run 
Cygwin 1.7's sshd with key authentication.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple