X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Fri, 3 Aug 2012 09:48:58 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Seteuid "operation not permitted" error when using LSA for sshd
Message-ID: <20120803074858.GA27106@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <CAKXb5pJZX7kaz12C1E-GEk7ws7oc2xAxQmr8EaND3KZ3_GzCmg AT mail DOT gmail DOT com> <CAKXb5pJjCBvbj1ZfU8WiEohz2QqW+edUi1Dz6anhELTk2wuZ_g AT mail DOT gmail DOT com> <CAKXb5p+ETsym1MtM3Ev964XN3aTLNMabSfPkSj0KEHE53GGZeg AT mail DOT gmail DOT com> <20120529125057 DOT GD12040 AT calimero DOT vinschen DOT de> <loom DOT 20120801T202919-35 AT post DOT gmane DOT org> <20120802091119 DOT GA12772 AT calimero DOT vinschen DOT de> <loom DOT 20120802T203152-34 AT post DOT gmane DOT org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <loom.20120802T203152-34@post.gmane.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Aug  2 18:39, David Koppenhofer wrote:
> > Why did you install cyglsa64 from the old snapshot?  The changes to
> > cyglsa are supposed to be in the Cygwin 1.7.16 package anyway.
> 
> Because I was grasping for straws, and didn't know the fix was in the current
> package.
> 
> 
> > > I rebooted the server, made sure the sshd service was running, but I still
> > > receive the "sshd: PID 3064: fatal: seteuid 1000: Operation not permitted"
> error.
> > 
> > Does the service account have TCB privileges?  That's a hard requirement
> > for the user switch.
> 
> Ah ha!  The service account does not have the "Act as part of the operating
> system" permission.
> 
> However, I ended up asking the network admin to give "Create a token object" to
> the service account.  Since key authentication started working after that, I'll
> just leave things as they are.

If the restrictions of this mode, especially in terms of network shares,
are no problem for you, that's fine.  Otherwise I'd like to point out
http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple