X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=2.3 required=5.0	tests=AWL,BAYES_50,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,T_RP_MATCHES_RCVD,T_TO_NO_BRKTS_FREEMAIL
X-Spam-Check-By: sourceware.org
Message-ID: <31121-1277385867-470920@sneakemail.com>
Date: Thu, 24 Jun 2010 09:24:26 -0400
From: "Robert Jacobson" <q7zfcru02 AT sneakemail DOT com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: sshd in a domain
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com


I need some help to get sshd working so that when I login using
public-key auth to my domain account (which has local administrator
privileges), it actually has the Adminisitrator privs.

The platform is Windows XP Pro, joined to a domain.

C. Vinschen already kindly pointed me to the FAQ, here:
http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain

but I think I'm missing something about the setup, or done it wrong.

I created a domain account, we'll call it "cyg_server" for convenience.

I have a GPO that defines the "cyg_server" User Right Assignments so
that it can "Act as part of the operating system", "Act as part of the
operating system", and "Replace a process level token".  I also placed
cyg_server in the local Administrators group.

I've confirmed the GPO is applied successfully.  The cyg_server account
appears in the correct areas when I look at "gpedit.msc".

Where I think I'm failing is the setup for ssh-host-config.  I tried:

	ssh-host-config -u cyg_server -p 'password' --privileged

First, I'm warned that I don't need a privileged account because I'm not
running W2k3, Vista, etc.  (The FAQ specifically says to use a different
account, so this seems contradictory, yes?)

Also, I get:
*** Warning: Privileged account 'cyg_server' was specified,
*** Warning: but it does not have the necessary privileges.
*** Warning: Continuing, but will probably use a different account.
*** Warning: The specified account 'cyg_server' does not have the
*** Warning: required permissions or group memberships. This may
*** Warning: cause problems if not corrected; continuing...

It installed the service, but the service did not start, due to a login
failure.

I can login to the account using
	runas /user:domain\cyg_server cmd
just fine.  I'm sure the password I specified was correct.

I opened the Service configuration GUI, and just in case, I pasted the
password into the proper spot.  The GUI responded with (paraphrase)
	"cyg_server" has been granted the "Logon as a service" right.

The service then started successfully.  So, did I miss something, or
does that mean the FAQ should include "Logon as a service" in the needed
user rights?

In any case, although the service now starts successfully (running under
the cyg_server account), when I login via SSH (either password OR public
key), I do NOT have Administrator privileges; i.e. according to the 'id'
commmand, I'm not in group "544(Administrators)".  I'm not even in the
regular "Users" group!

Obviously I've done something wrong...  Help, please!

-- 
Robert Jacobson
#include std_disclaimer.h

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple