X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; q=dns; s=default; b=A+IGq2hLBk8Yxppz tcsaautWPhmzMJvFoXnTen1HFQbnvjV08b0C1JhnMCMEgZKfDPfsn6Od+kR89V39 mdXd4MtQFYUKvqtuD3Ad2A4CCsBhwPguz5wR6cfgUuf59CD5yc4E8sKxhdXOMGV/ wmtQXqbrlg70xNcF606DVqS5p8w= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:reply-to:message-id:to:subject :in-reply-to:references:mime-version:content-type :content-transfer-encoding; s=default; bh=OTnUg1tnNn/REkecsJXdn0 3L/Xs=; b=qyDdZbY/bwOT5eRUKibT6ZEBJd6h2Hvt5ye7dnZ/lc0Z9fcxw3lsWh 61sHlNlsSf9pGEInBMXAC0/WwAeM+BCINvRuEnAv8GVGqezPSLTqmB/UrCi8B8oP nACCL04XjuCh6XdkQ+XqfTOaEAcMxv3JEiw+St0VJ6jaw6a0wRWnY= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=4.6 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,SPF_SOFTFAIL autolearn=no version=3.3.2 X-HELO: smtp.ht-systems.ru Date: Thu, 23 Jul 2015 00:46:27 +0300 From: Andrey Repin Reply-To: cygwin AT cygwin DOT com Message-ID: <341710545.20150723004627@yandex.ru> To: Jarek , cygwin AT cygwin DOT com Subject: Re: Cygwin ssh and Windows authentication In-Reply-To: References: <1301881165 DOT 20150720013859 AT yandex DOT ru> <1399485278 DOT 20150721032532 AT yandex DOT ru> <981419184 DOT 20150721233655 AT yandex DOT ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Greetings, Jarek! >>>>> So why are they not needed as your comment doesn't really explain that >>>> Read 1.7.35 changelog. >>>> In short, username resolution was completely reworked, thanks to Corinna, and >>>> Cygwin now directly address domain controllers for it. >>> OK so it addresses DCs to check some settings or priviliges. I don't >>> suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?' >> Indirectly, that can be done, i.e., by including a user in "SSH" group and >> allow only "DOMAIN+SSH" group to authorize on server. > I assume the group name is arbitrary and can be named anything. Of course. I have a generic "RemoteUsers" group for all users that allowed remote access (VPN, SSH, etc.) > I went thrugh local rights on my sshserver and I see the Everyone, and > Users local groups have Allow to access this computer via network. > I take it the 'Act as part of the OS','Create a token object' and > 'Replace a process level token' rights are only for the account running > the sshd service. Yes, these are only used by service itself, and not propagated to the users connected. >> Verbose logging from both client and server may give some insight, too. > Here is what I get from the logs on the client when attempting to > connect with WinSCP Try using only username to login. Without domain prefix. And disable other auth mechanics, while you are testing namely I see it trying GSSAPI, which wouldn't work unless explicitly configured and allowed. Please attach long listings as files or provide links to pastebin service of your choice. -- With best regards, Andrey Repin Thursday, July 23, 2015 00:42:20 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple