www.delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2008/05/13/03:37:58

X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Tue, 13 May 2008 09:37:20 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Unable to run sshd under a domain sshd_server account [SOLVED]
Message-ID: <20080513073720.GA22193@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <3B3EFBD49B94AD4DBB7B7097257A8046DD020D AT FDSVAST06SXCH01 DOT flooddata DOT net> <Pine DOT GSO DOT 4 DOT 63 DOT 0805121820090 DOT 11953 AT access1 DOT cims DOT nyu DOT edu>
MIME-Version: 1.0
In-Reply-To: <Pine.GSO.4.63.0805121820090.11953@access1.cims.nyu.edu>
User-Agent: Mutt/1.5.16 (2007-06-09)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On May 12 18:29, Igor Peshansky wrote:
> On Mon, 12 May 2008, Schutter, Thomas A. wrote:
> 
> > > -----Original Message-----
> > > From: Schutter, Thomas A.
> > > Sent: Monday, May 12, 2008 9:52 AM
> > > To: 'cygwin AT XXXXXX DOT XXX'
> 
> <http://cygwin.com/acronyms/#PCYMTNQREAIYR>.
> 
> > > Subject: Unable to run sshd under a domain sshd_server account
> > >
> > > I am having problems setting up sshd to run under a domain sshd_server
> > > account instead of a local sshd_server account.
> > > [snip]
> > > But when I login via ssh:
> > >   $ echo $USER
> > >   tschutter
> > >   $ echo $USERNAME
> > >   sshd_server
> 
> Yes -- Windows does not understand user impersonation and does not allow
> real user switching.  So what sshd does is invoke processes with the
> appropriate token privileges for the user it's impersonating, while
> updating internal Cygwin data structures, but still running as
> sshd_server.  So Cygwin sees the right user (in its internal state), but
> Windows processes, of course, don't.

That's not correct.  This problem cropped up on the list a lot already.
When not using password authentication, Cygwin has to create a user
token from scratch.  The resulting processes are running under a normal
user token with correctly set user and group ownership.  What's missing
is a logon session for this user because only a LSA authentication
module can do that.  As a result, the processes of the new user are
running in the logon session of the user running sshd.  And here's the
problem.  For some reason, the appropriate Windows functions like
LookupAcccountSid identify the user token's user SID incorrectly as the
user who's owning the logon session.  And that's all:  The connection
SID <-> Username is broken.  The token itself is ok.  Usually that's
not a big deal, except that some WIndows application stumble over that,
like some Visual Studio stuff.

The way to fix this is to use a special LSA authentication module which
will be available with the next major release of Cygwin.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019