X-Recipient: archive-cygwin AT delorie DOT com X-SWARE-Spam-Status: No, hits=-4.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,KHOP_RCVD_TRUST,KHOP_THREADED,RCVD_IN_DNSWL_LOW,RCVD_IN_HOSTKARMA_YE X-Spam-Check-By: sourceware.org MIME-Version: 1.0 In-Reply-To: References: Date: Tue, 29 May 2012 12:41:23 +1000 Message-ID: Subject: Re: Seteuid "operation not permitted" error when using LSA for sshd From: Mark Pattie To: cygwin AT cygwin DOT com Content-Type: text/plain; charset=ISO-8859-1 X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id q4T2fn42003517 I have now removed Cygwin completely from the server and reinstalled. I am using the default service account that Cygwin creates for sshd (cyg_server), removed the "create a token object" permission for this account and configured the LSA package but have the same problem. Any advice on troubleshooting this issue further or any insight would be great. Thanks, Mark On Mon, May 28, 2012 at 10:10 AM, Mark Pattie wrote: > Thanks for responding so quickly. > > In the security log I can see it has been assigned the privilege > SeTcbPrivilege. Security log entry: > > Special privileges assigned to new logon. > > Subject: > Security ID: BUILDSERVER\cygwin_sshd > Account Name: cygwin_sshd > Account Domain: BUILDSERVER > Logon ID: 0x12c1c4 > > Privileges: SeAssignPrimaryTokenPrivilege > SeTcbPrivilege > SeSecurityPrivilege > SeTakeOwnershipPrivilege > SeLoadDriverPrivilege > SeBackupPrivilege > SeRestorePrivilege > SeDebugPrivilege > SeSystemEnvironmentPrivilege > SeImpersonatePrivilege > > In User Rights Assignment it has the following privileges: > > Act as part of the operating system > Adjust memory quotas for a process > Logon as a service > Replace a process level token > > Thanks, > Mark > > >>Does the account have TCB rights? That's required to run LSA auth. >>Same for method 3, btw. >> >> >>Corinna >> >>-- >>Corinna Vinschen Please, send mails regarding Cygwin to >>Cygwin Project Co-Leader cygwin AT cygwin DOT com >>Red Hat >> >>On Fri, May 25, 2012 at 10:15 AM, Mark Pattie wrote: >> Hi all, >> >> I have installed Cygwin and am running sshd successfully. The >> permission required for the sshd service account "create a token >> object" is not permitted to be granted to any accounts in my >> organization. As such I have decided to use LSA based on Method 2 on >> the following page: http://cygwin.com/cygwin-ug-net/ntsec.html. >> >> I had succesfully tested ssh authentication with a public/private >> certificate pair prior to running /usr/bin/cyglsa-config to install >> LSA. I ran the script, removed the "create a token object" permission >> and rebooted the server. Now I cannot authenticate using the >> public/private keys. I receive the following error in the Windows >> event log: >> >> sshd: PID 2780: fatal: seteuid 1003: Operation not permitted >> >> When I add the permission back to the service account and restart sshd >> the public/private key authentication works again >> >> Any help would be great >> >> Thanks, >> Mark -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple