Mail Archives: cygwin/2008/05/13/12:10:52
> -----Original Message-----
> On May 12 18:29, Igor Peshansky wrote:
> > On Mon, 12 May 2008, Schutter, Thomas A. wrote:
> >
> > > > -----Original Message-----
> > > > From: Schutter, Thomas A.
> > > > Sent: Monday, May 12, 2008 9:52 AM
> > > > To: 'cygwin AT XXXXXX DOT XXX'
> >
> > <http://cygwin.com/acronyms/#PCYMTNQREAIYR>.
> >
> > > > Subject: Unable to run sshd under a domain sshd_server account
> > > >
> > > > I am having problems setting up sshd to run under a domain
> sshd_server
> > > > account instead of a local sshd_server account.
> > > > [snip]
> > > > But when I login via ssh:
> > > > $ echo $USER
> > > > tschutter
> > > > $ echo $USERNAME
> > > > sshd_server
> >
> > Yes -- Windows does not understand user impersonation and does not
> allow
> > real user switching. So what sshd does is invoke processes with the
> > appropriate token privileges for the user it's impersonating, while
> > updating internal Cygwin data structures, but still running as
> > sshd_server. So Cygwin sees the right user (in its internal state),
> but
> > Windows processes, of course, don't.
>
> That's not correct. This problem cropped up on the list a lot
already.
> When not using password authentication, Cygwin has to create a user
> token from scratch. The resulting processes are running under a
normal
> user token with correctly set user and group ownership.
Except that is not what I am seeing. When I run "id" from a console
cygwin shell:
$ id
uid=18718(tschutter) gid=10513(Domain Users)
groups=544(Administrators),545(Users),10513(Domain
Users),18169(FDSV-GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins)
But when I run "id" from a ssh shell:
$ id
uid=18718(tschutter) gid=10513(Domain Users)
groups=545(Users),10513(Domain Users)
So when I am using pubkey authentication, the user token is not a member
of the "Administrators", "FDSV-GG-PrxBLD", or "FDSV-GG-PrxPCAdmins"
groups.
> What's missing
> is a logon session for this user because only a LSA authentication
> module can do that. As a result, the processes of the new user are
> running in the logon session of the user running sshd. And here's the
> problem. For some reason, the appropriate Windows functions like
> LookupAcccountSid identify the user token's user SID incorrectly as
the
> user who's owning the logon session. And that's all: The connection
> SID <-> Username is broken. The token itself is ok. Usually that's
> not a big deal, except that some WIndows application stumble over
that,
> like some Visual Studio stuff.
> The way to fix this is to use a special LSA authentication module
which
> will be available with the next major release of Cygwin.
>
>
> Corinna
--
Tom Schutter
First American - Proxix Solutions
(512) 977-6822
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -