DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=rrcA80W5byTHnhhfg+LVnN3QEji0qfExyCMHj1o18PQyT6l4YlwoG
	Btm68Zmd1oyjac+cw7cpEkWB2+3ndpfe/uvW5T1D0zlnG/aFLPsXQ85E1Zd3ID70
	BXOrJLr9iNgsEnKpjm1SPU3+xqpduLJ5j4cqwrWaaxuRw5us2SMkOY=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Date: Thu, 14 Mar 2019 12:11:27 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: can't access remote shares when using ssh with rsa key - passwd -R / set(e)uid / LogonUser is not working as expected
Message-ID: <20190314111127.GF3785@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <20190313090418 DOT GT3785 AT calimero DOT vinschen DOT de> <AM6PR07MB533433E14C36CC4D12E7EA86954B0 AT AM6PR07MB5334 DOT eurprd07 DOT prod DOT outlook DOT com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;	protocol="application/pgp-signature"; boundary="2W4wSx0jmTCcLO7w"
Content-Disposition: inline
In-Reply-To: <AM6PR07MB533433E14C36CC4D12E7EA86954B0@AM6PR07MB5334.eurprd07.prod.outlook.com>
User-Agent: Mutt/1.11.3 (2019-02-01)

--2W4wSx0jmTCcLO7w
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mar 14 10:41, Maayan Apelboim wrote:
>=20
> When you login with stored password, Cygwin performs the same
> LogonUser call as if you login with password, so the same user token
> is generated.
>=20
> Off the top of my head I don't know why it shouldn't work for you.
> You sure you have the correct password stored?  When you login and
> call `id', what does it print?  Does it contain the "interactive"
> group or the "network" group?  If the latter, then the internal
> LogonUser call performed with stored password failed for some reason.
>=20
>=20
> Corinna
>=20
> --
> Corinna Vinschen
> Cygwin Maintainer
>=20
> -------------------------------------------------------------------------=
--------------
>=20
> Yes, I'm sure I used the correct password, I use it all the time and I
> also tried running passwd -R multiple times in case I entered it
> wrongly.  I'm not sure what are "interactive" & "network" groups - do
> you mean literally groups called network & interactive?  Either way -

Yes.

> I'm always getting a group named "interactive" among other groups -
> either with password ssh or with RSA - never "network" I do have some
> different groups when running id - comparing password ssh and RSA ssh.

If password auth or `passwd -R' auth is used you'll have the
"4(INTERACTIVE)" group in your `id' output.  If S4ULogon is used you'll
have the "2(NETWORK)" group in your `id' output.  This is one way to
identify which logon method has been used.

> Also, when I run mkpasswd -d when I log in with password, it generates
> users from the domain, comparing RSA ssh that generates only a few
> entries unrelated to my domain..

You don't need mkpasswd anymore.  Use `getent passwd' instead.

But... given you're using mkpasswd at all, I wonder if you still
have /etc/passwd and/or /etc/group files.  If so, move them out
of the way and restart your CYgwin processes.  They are not required
and may even result in problems if they have been tweaked.

If you still have these files, removing them is the first thing to
try.

> I think the same as you (also mentioned in the email title :) ) that
> the LogonUser call doesn't work as expected. Is there a way to verify
> it? Any logs I can check?  Would it help if I'll send the different
> groups I'm getting?

Other groups than NETWORK or INTERACTIVE don't matter, as explained
above.  The only reasons I can think of that LogonUser doesn't work is
that your username, domainname, or password are incorrect, or your
account is disabled.  I never saw the call fail for any other reason.

For debugging, you would have to call the sshd service under strace.
That would give a hint.  For that you should change the sshd service
call in the registry so that `/usr/sbin/sshd -D' is replaced with
`/usr/bin/strace -o /tmp/sshd.trace /usr/sbin/sshd -d'.  Note the
lowercase -d, which runs sshd in debug mode.  After the first logon,
sshd will terminate itself automatically.  Afterwards you should send
the /tmp/sshd.trace file here for inspection.  You can obfuscate
sensitive info, but the gist of the file should stay intact.


Corinna

--=20
Corinna Vinschen
Cygwin Maintainer

--2W4wSx0jmTCcLO7w
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlyKNt8ACgkQ9TYGna5E
T6APeg//Xp9mBZ3HQfMil2V5byYtmjtl3xv25cJnRayb7ezOQVmTGHddiN2dbmNG
GClEJr2FpV25PkFqFY7SnjBLv8aUCCXBZJnkOSU4rt/yNZOTrBycsih14PaNuZfA
SqsupKgLLXuis4nMX6zgG1ob2K55j927t8HEuoPGqgCUgwpIMfdkh3M6SqM9288z
wcQkszTk7MRSLPA7qc/LMMdsMvu4gyS5eh5tEd2olS2E+NeLIYRhN7mrJTlFfdvS
RvvTZMOPSyZOjUHzSCOH7GCVR/HeULbo4sMTH+2qS3yLh2ho6KUZNLN5VJ1WgmUe
wmf3Up6Ugs8XRFm4UhcrMK/cRoZDdBy8nKR7zdnYe62lRRu2kA428cpf5OeFVuSH
ExrSjr6Ycs/5iNH/KEalwkbyjYyf0QvM21LK70FBMYFuUpNxcKdD/V9zebI/TOmh
v9mIBaaUhl8puWofrn+7QCbt6uKygwZv5R+gPjL0KSfFA1GlyG8xWJ3oXITzi3F/
ANA8DhfFL+bxekSrhxLjlUglr3VIvOxLd/GkQkjLcP++ftg0eXi7FPn6lZadcO7o
/CANW1ggXPFH8Hsju68ZFXUmRMoS9dn7hyqiFibiFYryjgOgZ4GLaQn7hbUDcH1P
GUrUJ9/GERmFrZx+7ssbbCZUpT6wfF3h4jzEkkbDLuHzNkH7JDU=
=mKsS
-----END PGP SIGNATURE-----

--2W4wSx0jmTCcLO7w--