X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-1.6 required=5.0	tests=AWL,BAYES_00,TW_MK,T_RP_MATCHES_RCVD
X-Spam-Check-By: sourceware.org
In-Reply-To: <7C5E3B536F261B47A73B1F1F70F2683F0B1B733F@DETEX01.trade.archway.com>
References: <7C5E3B536F261B47A73B1F1F70F2683F0B1B733F AT DETEX01 DOT trade DOT archway DOT com>
Subject: Re: Difficulty setting up domain SSH daemon under Domain Security Policies
X-KeepSent: 29E120F4:529C2492-C1257767:0028C238; type=4; name=$KeepSent
To: cygwin AT cygwin DOT com
Cc: "Hunter, Bryan" <Bryan_Hunter AT archway DOT com>
Message-ID: <OF29E120F4.529C2492-ONC1257767.0028C238-C1257767.00297F88@de.ibm.com>
From: Christoph Herdeg <christoph DOT herdeg AT de DOT ibm DOT com>
Date: Wed, 21 Jul 2010 09:33:13 +0200
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Hi Bryan,

The local security policy is overwritten in all aspects that are confugured
in the Default Domain Policy or any other GPOs that are used against the
same Active Directory objects (Forrests, Sites, Domains, OUs).

You need to create the cyg_server account within Active Directory Users &
Computers and setup Default Domain Policy to push the correct permissions
to that user. You may need to put the account to a security group having
administrative permissions on the local Domain Member machines.

You need to setup /etc/passwd and /etc/groups on the local Domain Member
machines to include the users and groups from your Domain (mkpasswd and
mkgroup used with the according parameters).

You need to call ssh-host-config, e.g. like that: "ssh-host-config -y -c
"tty ntsec" -u "Domain\cyg_server" --privideged".

SSHD should work that way...

Best Regards, Chris




                                                                                                                                           
  From:       "Hunter, Bryan" <Bryan_Hunter AT archway DOT com>                                                                                   
                                                                                                                                           
  To:         <cygwin AT cygwin DOT com>                                                                                                          
                                                                                                                                           
  Date:       20.07.2010 23:36                                                                                                             
                                                                                                                                           
  Subject:    Difficulty setting up domain SSH daemon under Domain Security Policies                                                       
                                                                                                                                           
  Sent by:    cygwin-owner AT cygwin DOT com                                                                                                      
                                                                                                                                           





The SSHD service is successfully running under the local cyg_server
userid set up by ssh-host-config.  Pulbic key authentication is working.
It is running on a Windows 2003 Server with Domain Security Policies
being pushed down from the Domain server.  Using the windows GUI, access
to change the local security settings is greyed out.  After replication
or some time passing, the cyg_server settings disappear from the local
security settings.  If running, the sshd service continues to work.  If
there is a need to restart the service, then the following procedure
works:

1    Stop the service
2    Delete the service
3    Delete the cyg_server userid
4    Rerun ssh-host-config
5    Restart the service

I am trying to setup access to the entire domain, and to that end tried
creating a domain userid with various policies to run the service.  When
this userid propagates, it does not appear to propagate the "Create a
token object" policy.  When I run ssh-host-config and specify the new
userid, I get a message that the userid has insufficient permissions.
Indeed, it does not work.  I am not sure which way to look at this, but
can anyone provide some direction?  Here are some points as I see them.

1    The ssh-host-config program doesn't say what permissions are
inadequate.  Is there a specific list of what is needed?
2    Is there a way to force ssh-host-config to create the permissions?
It seems that it will only create permissions when creating a fresh new
setup.
3    If the local security policies are indeed being over written and
the create token object doesn't propagate, then it looks like some
additional process is needed to recreate the privileges?

Is there a different way of going about this?  Would it make any sense
to install SSH on the domain controller itself?

Any guidance in this matter would be appreciated.

Best Regards,
Bryan Hunter

[attachment "cygcheck.out" deleted by Christoph Herdeg/Germany/Contr/IBM]
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple