X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=1.3 required=5.0	tests=AWL,BAYES_50,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,T_RP_MATCHES_RCVD,T_TO_NO_BRKTS_FREEMAIL
X-Spam-Check-By: sourceware.org
Message-ID: <12322-1304596661-486790@sneakemail.com>
Date: Thu, 5 May 2011 07:57:36 -0400
From: "Robert Jacobson" <q7zfcru02 AT sneakemail DOT com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: sshd in a domain
References: <31121-1277385867-470920 AT sneakemail DOT com>
In-Reply-To: <31121-1277385867-470920@sneakemail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On 6/24/2010 9:24 AM, Robert Jacobson  |cygwin/Example Allow| wrote:
> I need some help to get sshd working so that when I login using
> public-key auth to my domain account (which has local administrator
> privileges), it actually has the Adminisitrator privs.
>
> The platform is Windows XP Pro, joined to a domain.
>
> C. Vinschen already kindly pointed me to the FAQ, here:
> http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain
>
> but I think I'm missing something about the setup, or done it wrong.
>
> I created a domain account, we'll call it "cyg_server" for convenience.
>
> I have a GPO that defines the "cyg_server" User Right Assignments so
> that it can "Act as part of the operating system", "Act as part of the
> operating system", and "Replace a process level token".  I also placed
> cyg_server in the local Administrators group.
>
> I've confirmed the GPO is applied successfully.  The cyg_server account
> appears in the correct areas when I look at "gpedit.msc".
>
> Where I think I'm failing is the setup for ssh-host-config.  I tried:
>
> 	ssh-host-config -u cyg_server -p 'password' --privileged
>
> First, I'm warned that I don't need a privileged account because I'm not
> running W2k3, Vista, etc.  (The FAQ specifically says to use a different
> account, so this seems contradictory, yes?)
>
> Also, I get:
> *** Warning: Privileged account 'cyg_server' was specified,
> *** Warning: but it does not have the necessary privileges.
> *** Warning: Continuing, but will probably use a different account.
> *** Warning: The specified account 'cyg_server' does not have the
> *** Warning: required permissions or group memberships. This may
> *** Warning: cause problems if not corrected; continuing...
>
> It installed the service, but the service did not start, due to a login
> failure.
>
> I can login to the account using
> 	runas /user:domain\cyg_server cmd
> just fine.  I'm sure the password I specified was correct.
>
> I opened the Service configuration GUI, and just in case, I pasted the
> password into the proper spot.  The GUI responded with (paraphrase)
> 	"cyg_server" has been granted the "Logon as a service" right.
>
> The service then started successfully.  So, did I miss something, or
> does that mean the FAQ should include "Logon as a service" in the needed
> user rights?
>
> In any case, although the service now starts successfully (running under
> the cyg_server account), when I login via SSH (either password OR public
> key), I do NOT have Administrator privileges; i.e. according to the 'id'
> commmand, I'm not in group "544(Administrators)".  I'm not even in the
> regular "Users" group!
>
> Obviously I've done something wrong...  Help, please!
>

I'm responding to my own post -- from nearly a year ago -- because I
finally learned how to configure sshd so that I get the right
permissions for my administrator account.

The fix was simple -- I just ran "cyglsa-config" and rebooted.  I had no
idea "cyglsa" existed until I tried to get cron working the other day
and saw it in a follow-up post.

The "id" command now shows the exact same output in the console terminal
and when I login via SSH.

I propose that you add this to the FAQ at:
  http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain
possibly with a note about the necessity of rebooting after cygwin
updates if you use cyglsa.

Is there some reason (other than the reboot-after-cygwin-update
requirement) that  "ssh-host-config" doesn't automatically run
cyglsa-config as well?  Or at least warn you that you won't get the
right group membership without it?

-- 

Robert Jacobson               



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple