X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Mon, 25 Jan 2010 12:03:28 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Why you can't load ws2_32.dll (was Re: Can't use key   authentication  on x64 Server 2003 R2)
Message-ID: <20100125110328.GJ2402@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <aed63dd41001071133x630df0d8p6ad66d9b66d4fc03 AT mail DOT gmail DOT com>  <20100108145957 DOT GB23992 AT calimero DOT vinschen DOT de>  <4B5CE93D DOT 9050603 AT eburg DOT com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4B5CE93D.9050603@eburg.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Jan 24 16:43, Gordon Messmer wrote:
> On 01/08/2010 06:59 AM, Corinna Vinschen wrote:
> >I can't reproduce this one, but I can reproduce the other problem
> >with pubkey authentication reported  in this thread:
> ...
> 
> I appreciate the time you took to explain this problem.  I've been
> working on it for a while, and still can't get it right.
> 
> >If you're running in a domain, then the account running the sshd service
> >must be a member of the domain as well.  Instead of creating a local
> >cyg_server account, you must create a domain account called cyg_server
> >with the specific rights required to create a user token, add it to the
> >/etc/passwd file of the machine on which you want to install sshd, and
> >*then* run ssh-host-config on that machine.
> 
> I've created a "cyg_server" account on my domain controller and
> added it to the password file using:
> 
> mkpasswd -d -u cyg_server >> /etc/passwd
> 
> First I tried granting the required permissions manually in the
> domain policy.  When that didn't work, I used "editrights" as in
> cygwin-service-installation-helper.sh to set the rights in the local
> policy.  As far as I can tell, I get identical results.
> 
> Rights during my most recent test were:
> 
> $ editrights.exe -l -u cyg_server
> SeAssignPrimaryTokenPrivilege
> SeCreateTokenPrivilege
> SeTcbPrivilege
> SeServiceLogonRight
> SeDenyRemoteInteractiveLogonRight

The cyg_server user is hopefully in the Administrators group...

Here's what I did.  I created cyg_server as admin account in the domain,
then I created a global policy which adds the cyg_server user to the
following user rights:

  Act as part of the operating system (SeTcbPrivilege)
  Create a token object               (SeCreateTokenPrivilege)
  Replace a process level token       (SeAssignPrimaryTokenPrivilege)

At last I made sure the global policy gets propagated to all domain
machines.  That's all.  From this time on I could use the domain
cyg_sever user on all my domain member machines, assuming I added it to
/etc/passwd before starting ssh-host-config.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple