X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:date:message-id:references
	:in-reply-to:content-type:content-transfer-encoding
	:mime-version; q=dns; s=default; b=QFVYVJnRflc1dNG3zcppN9EzdpA+9
	LTVGW5cd0bD1ZqWimjGVwTiZT56UR/Lggoz+r1pwKn+UV2n9WAZpntfonX66AwpQ
	L5pEXwgDHp3DYcU8/JHGFoDkwbxsNp9aX99NlXtPDopC+HcG9BAbrxR1BtGKZA5p
	PS1/EqaRqGNLq8=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:date:message-id:references
	:in-reply-to:content-type:content-transfer-encoding
	:mime-version; s=default; bh=6w6FuwjCuAYaU1MNe/Necu4Xkts=; b=TLg
	I9Iatgj5bjXKCpKzfU8V6/iw8Sxy9I05CcE2+XSJvpOLmlabcEhAbnboUtfDmCLX
	yCHm2PNaijtMFhEmkXIEHT9Wwl3QXZRumKjyBYhtzLvwsHuS1PAhngocXFLtGlni
	xTGK0Am6wRaOhSHx99hbfFUAehxNYJve6wOwOJGg=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,MIME_BASE64_BLANKS,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS autolearn=ham version=3.3.1 spammy=explained, sshd, reboot, H*RU:sk:EUR03-D
X-HELO: EUR03-DB5-obe.outbound.protection.outlook.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=clarizen.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IZm7L8VZ1bttmGmWc3TgN5lMdTtX2Nz/BCZuzQNxaYg=; b=DTXFGcc5GCUwU5bCuVwGePePPdv1V/xC/ES1YiMk/wLUJ7XMSafwS1dRR/xsu1zrQKqF/W5VxFWcn02ac9y6iRsiLNhyRT3VI6LCBsORyLezOlL78s/jkVBtz8zo/dxdq/Pk5VQ6iE+BNnxfX/lQNUBDdHhFmXMgKZ/skTbu/Xs=
From: Maayan Apelboim <Maayan DOT Apelboim AT clarizen DOT com>
To: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Subject: RE: can't access remote shares when using ssh with rsa key - passwd -R / set(e)uid / LogonUser is not working as expected
Date: Mon, 18 Mar 2019 13:53:43 +0000
Message-ID: <AM6PR07MB53340B87E31FD56CC77B69D095470@AM6PR07MB5334.eurprd07.prod.outlook.com>
References: <20190314111127 DOT GF3785 AT calimero DOT vinschen DOT de>
In-Reply-To: <20190314111127.GF3785@calimero.vinschen.de>
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Maayan DOT Apelboim AT clarizen DOT com;
received-spf: None (protection.outlook.com: clarizen.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id x2IDrxNR029575



If password auth or `passwd -R' auth is used you'll have the "4(INTERACTIVE)" group in your `id' output.  If S4ULogon is used you'll have the "2(NETWORK)" group in your `id' output.  This is one way to identify which logon method has been used.

	>>>>I always get 4(INTERACTIVE) - with password or with RSA (also on servers I didn't run passwd -R). Never got 2(NETWORK).



You don't need mkpasswd anymore.  Use `getent passwd' instead.
But... given you're using mkpasswd at all, I wonder if you still have /etc/passwd and/or /etc/group files.  If so, move them out of the way and restart your CYgwin processes.  They are not required and may even result in problems if they have been tweaked.
If you still have these files, removing them is the first thing to try.

	>>>>Yes, I still have passwd and group files. No special tweaks. They were set with mkpasswd -d & mkgroup -d and never been touched, but I'll check how to use getent and will update.



Other groups than NETWORK or INTERACTIVE don't matter, as explained above.  The only reasons I can think of that LogonUser doesn't work is that your username, domainname, or password are incorrect, or your account is disabled.  I never saw the call fail for any other reason.
For debugging, you would have to call the sshd service under strace.
That would give a hint.  For that you should change the sshd service call in the registry so that `/usr/sbin/sshd -D' is replaced with `/usr/bin/strace -o /tmp/sshd.trace /usr/sbin/sshd -d'.  Note the lowercase -d, which runs sshd in debug mode.  After the first logon, sshd will terminate itself automatically.  Afterwards you should send the /tmp/sshd.trace file here for inspection.  You can obfuscate sensitive info, but the gist of the file should stay intact.

	>>>> I was able to set sshd to run with debug (-d), but when adding the trace the service fails to start. 


Noticed another problem started only on the servers I ran passwd -R - the Cygwin terminal fails to start. The window opens and closes immediately. It didn't happen immediately after running the command. It started a few days later.
Servers have been rebooted during this time and I think it started after the reboot.
Think I might need to reinstall or upgrade and try your suggestions again.


Thanks for the tips. I will update when I have more info.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple