X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=DXuCfN6OLatRF2jDnqojc8uAuMoUvznT1g5Nnhskf+KWFrq5AoL1a
	ATubxXswVSrI0s28or2FkIszxBhetp9eX24PNZ4A24mRE5zvecNGS1RvT9YM7roV
	PLpAAtehS40E4P78aDHZcUi/kBra7mBYCDPXafh3WM9V0ePZ93L6Ss=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=iw+sKpwb+VCbS/EJQIEzpTIOSj8=; b=tPYiOIu3GWvLJ+NM4p/eCoYDu7AY
	//46hchYY32Vu8R9tRlSLRGvAuRTHjycjGuDBfNBNwiTVOnTf/wVJqEBKcRihMc/
	HrwqJyq9FepLvqyFbNOjEiXrhzO7wF7B1lWN0P3fwQ17mYNIOpsPjtCNLw5KjZ71
	8oVwEmC8ZVanX+0=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-100.9 required=5.0 tests=BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,NORMAL_HTTP_TO_IP,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=proud, H*F:D*cygwin.com, click
X-HELO: mout.kundenserver.de
Date: Thu, 21 Feb 2019 11:09:11 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: cygwin 3.0.1-1 breaks my sshd install
Message-ID: <20190221100911.GG4256@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <19759126 DOT 568100 DOT 1550686604174 DOT ref AT mail DOT yahoo DOT com> <19759126 DOT 568100 DOT 1550686604174 AT mail DOT yahoo DOT com> <alpine DOT DEB DOT 2 DOT 21 DOT 1902201038580 DOT 32163 AT ckhb05> <47883ab06634fed3ecdaa375016dc3fb AT smtp-cloud8 DOT xs4all DOT net> <20190220202536 DOT GX4256 AT calimero DOT vinschen DOT de> <vz1pnrmnoat DOT fsf AT gmail DOT com> <cf5bae0d3d06c3bb508cc766c5c18226 AT smtp-cloud8 DOT xs4all DOT net> <20190220223629 DOT GA4256 AT calimero DOT vinschen DOT de> <20190220224340 DOT GC4256 AT calimero DOT vinschen DOT de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;	protocol="application/pgp-signature"; boundary="WIA99zTjfw9iS5Gl"
Content-Disposition: inline
In-Reply-To: <20190220224340.GC4256@calimero.vinschen.de>
User-Agent: Mutt/1.10.1 (2018-07-13)

--WIA99zTjfw9iS5Gl
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Feb 20 23:43, Corinna Vinschen wrote:
> On Feb 20 23:36, Corinna Vinschen wrote:
> > On Feb 20 22:49, Houder wrote:
> > > On Wed, 20 Feb 2019 21:27:22, Andy Moreton  wrote:
> > >=20
> > > > I've seen a similar failure, on a domain-joined Windows 10 box runn=
ing
> > > > cygsshd using a local cyg_server user account. I've fixed it by:
> > > > 1) Open the "Computer Management" app
> > > >    Select "Services and Applications", then "Services", and
> > > >    choose the cygsshd service from the list.
> > > > 2) Stop the service
> > > > 3) Select the "Log On" tab, choose "Local System Account" and click=
 OK.
> > > > 4) Restart the service.
> > > >=20
> > > > This changed the account reported by "cygrunsrv -VQ" from "./cyg_se=
rver"
> > > > to "LocalSystem".
> > >=20
> > > 64-@@ uname -a
> > > CYGWIN_NT-6.1 Seven 3.0.1(0.338/5/3) 2019-02-20 10:19 x86_64 Cygwin
> > >=20
> > > First I replaced cygwin1.dll again w/ the last version, as you can se=
e ...
> > >=20
> > > Then I carried out you instruction ...
> > >=20
> > > To my surprise it did the trick! Thank you!
> > >=20
> > > Perhaps Corinna can give a hint of why the modification made the diff=
erence.
> >=20
> > Actually, I can't.  I'm surprised, too, because it still runs
> > fine for me under the cyg_server account.
>=20
> Actually, maybe I can.  On second thought there's a quite high
> probability that my AD cyg_server account I'm using for 10 years
> or longer, has not the same privileges as a cyg_server account
> created via ssh-host-config script.  May it works for me because
> of these extra permissions the account got during years of playing
> around with it.
>=20
> I guess I have to crate another, local cyg_server account via
> ssh-host-config and try the same with that account.
>=20
> Not having much time tomorrow, but at least on Friday I should
> be able to test this.

I managed it today already but I'm somewhat stumped.

I ran ssh-host-config and let the script install a new local account
"test_server" to use for the sshd service.  I started the service and
tried to login with a local account and it just worked out of the box.

However, when I tried to logon with a domain account, S4U failed since
the local account didn't have enough permissions or so.  The call to
LsaLogonUser failed with STATUS_NOT_SUPPORTED.  So with S4U sshd needs
to run under SYSTEM or a privileged domain account to allow domain
accounts to login.

But from my POV S4U is the way to go.  I'm still a bit proud that I
managed to figure the "Create user token from scratch" method out back
in 2001, but I think it's really outdated now and should not be used
anymore.  I'd hate having to enable it again generally.


Corinna

--=20
Corinna Vinschen
Cygwin Maintainer

--WIA99zTjfw9iS5Gl
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlxueMYACgkQ9TYGna5E
T6B0eA/+NeuvXItdne7vocsjejRVEDN53FEUbUSjun08AoBtQQoG0TMLRMOnvCkp
RIgRObHAx/zYx4KEXeBnjAtNKvIGxQXkQdhxgjpgOWs1k3vPSRNRIKRvxpRS+Rk3
1Yu4bUbV5TWAi/by1E4Z1J7CVtXzDy64kN+otfXcwX10SuTWluv7rkeBDJj94i6h
JBeEGZlzm3Xgh9g+exN6DqbFDm8fAeLYH+GvXFW3XwY+dTcPzXlkL4xMznpf3Bzu
Siecr2NcJNeEa/SZ3TQ67J+RA9DTyrff+JkuX7hiwnvrcbiSmieG1u5A+yxO5WiH
C0gM0sbP0d+BeP8j/p81aZguo+VbIEQjWUP/3C7lQ/mMAtgMMc7Cq1xU1YiaIwF9
J8ERhO66+k8kbVHKc7MEQ7utytwPRr1R7tHpfnesvpEVw/XXVP0iMtXbeZYVeQd/
BfpK5mfcxDOyFgT4uhBIlJrJnqKqj+Ocbs4zfsslQ0u1fvw+W2jkO/DdzfrgL9j7
wvfGZmAwahqu2DFzaiOoMLLdtL8/yNO8G3aEV3brGFCPlfQSdr73JzUjBRi+dNg5
uBhvMy9qGbJq7kOg1jef6joJXVG5gj/amq9cREiQUO4A3+2ZtcOrhyfNaaxeS5ag
ef08hRbFTHiloRigyoQsSGGhXBRxv4Bg7Ik6/vXcbr6uXpc1UNI=
=UekU
-----END PGP SIGNATURE-----

--WIA99zTjfw9iS5Gl--