X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=WxB9qmJLhV/blX+dETHB/IjL1QyEjf3piYQldaA82DPoOu0E1HCtr
	rKYS7TWyJmJRMR3JYj0xz1vhMVOMIP2N27GnpRLrl9OMgm2aU2+rBWTiZClu0Yg5
	yQVofvO0EllDu+eKLDxzaRDhV9YhYCl0fqcHUbCPgCUdL/5KXuHpRE=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=LBGA1Aa/sgdBdFfhfhVf94ck6qM=; b=ZqNnjkqOVq1i+DIFeu/q3DQVMUsp
	g0BAoFLYG0brpL8KLLFzO1UKbapH+VQRX2jW3DYeVQeOSvaU1CHMWSjWpwsWWw0T
	YD1WUawBRvlcEcSC9L6EMOlXT2J+VblG9AJeCdRq3fNpkGBx9JnVv5jdSKVRsMdu
	tdkSy8OZHER2VOg=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-100.9 required=5.0 tests=BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=SSHD, H*F:D*cygwin.com, password, services
X-HELO: mout.kundenserver.de
Date: Wed, 6 Mar 2019 13:35:09 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: can't access remote shares when using ssh with rsa key - passwd -R / set(e)uid / LogonUser is not working as expected
Message-ID: <20190306123509.GQ3785@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <878sxt86kp DOT fsf AT Rainer DOT invalid> <AM6PR07MB5334BEC016F182E1F97F817695730 AT AM6PR07MB5334 DOT eurprd07 DOT prod DOT outlook DOT com> <20190306122816 DOT GP3785 AT calimero DOT vinschen DOT de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;	protocol="application/pgp-signature"; boundary="8N0TQpGUCeEQshoq"
Content-Disposition: inline
In-Reply-To: <20190306122816.GP3785@calimero.vinschen.de>
User-Agent: Mutt/1.11.3 (2019-02-01)

--8N0TQpGUCeEQshoq
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mar  6 13:28, Corinna Vinschen wrote:
> On Mar  6 10:09, Maayan Apelboim wrote:
> > Well, it doesn't work OK unfortunately, but I'm not sure if I missed so=
mething in the process, or is it just not working properly.
> > I'm a bit worried to upgrade to 3.0.2 at the moment cause it's a major =
version and will probably have new bugs that I wouldn't want to find in pro=
duction.
> >=20
> > Assuming we will eventually upgrade to latest version -=20
> > My sshd service is running with domain user cyg_server and we login wit=
h domains users via ssh - is it still OK to switch the sshd service's user =
to local system?
> > Will we still be able to login with domain users via ssh?
>=20
> Yes, that's the idea.  The new method using the official S4U logon
> technique runs under the SYSTEM account.  No need to have a special
> cyg_server account with potentially dangerous privileges anymore.
>=20
> > Will it help with my network shares problem?
>=20
> No.  Just like the old techniques using an LSA authentication module
> or creating a user token from scratch, S4U login does not create
> tokens with valid network credentials.  For some weird reason only
> Microsoft knows about, you still need a password login for that.

Btw., that's in no way different when using Microsoft's own SSHD.
They use S4U login as well.  That's where I got the idea, in fact.

> The other method, logging in by stored password, as described in
> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd3 still
> works, though.


Corinna

--=20
Corinna Vinschen
Cygwin Maintainer

--8N0TQpGUCeEQshoq
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlx/vnwACgkQ9TYGna5E
T6DZsg/8CEoAHFxIRWO5M+PQY7PYj7k8Eeo5e0h7qHtvF9gDtriOGqdM3d8SjuvG
Vs0V/gHpbqPWxGQaUhCldT2XIWK1N1c07vdF8oibr1rvHmoxedOPAGisjC9ZleYb
ttXXOBOyS/xHvf7EJV43RrhPwyk1h7ZrvxOkBc5DC+Etm6RoUXXi+DTKcsn4/4Ys
6dHKka6lGeZwgtrAjzORWrE2A44PKRfGh8yEOdBYXQnRtDVGONaC81sUBif1Gf/g
quuTGZQrReGVF9BIEl7SH3XDQNdlTWRtGVRj2UND+9GofLvBjqVLiMzmhX5ydcbn
LbD1FNvuWP9dGxWe7tuUZZFjBdmEC3APszeSXbxXOeM2RNPMJsmv84V1pf49OwDF
U1EVDSb8mkv5zUlxE637TCvdKB0NvMsy4R7RZAGE06alC/FudC/ZGQUhrJB9CTYC
X3GedE4H8w6J9yr9VvJ9yzz82R1vUBhRRXi6N9eUXFNmQ0GnIUsD0SrqrZ8FY5qj
F1ZNZPQdRBzP6ruIiKcmXy9SLyWDFGYhCxhuEW/2skocpPTpaDBN8cROonKDHwLe
VgzC7TKy5LQ+9g3Qk9YMeJ0rmwKhWY3pc2iegW9VR/d++YTz5iMCJjR9rfm8Adg0
sg/GxGsQq3D+rWOeHeYMnji3lwv/lzTVfngHTJMi9K7CQrcN780=
=TjKF
-----END PGP SIGNATURE-----

--8N0TQpGUCeEQshoq--