www.delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2008/07/19/12:52:24

X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Message-ID: <48821B9F.6070907@cwilson.fastmail.fm>
Date: Sat, 19 Jul 2008 12:51:43 -0400
From: Charles Wilson <cygwin AT cwilson DOT fastmail DOT fm>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.14) Gecko/20080421 Thunderbird/2.0.0.14 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
References: <3B3EFBD49B94AD4DBB7B7097257A8046DD020D AT FDSVAST06SXCH01 DOT flooddata DOT net> <Pine DOT GSO DOT 4 DOT 63 DOT 0805121820090 DOT 11953 AT access1 DOT cims DOT nyu DOT edu> <20080513073720 DOT GA22193 AT calimero DOT vinschen DOT de> <3B3EFBD49B94AD4DBB7B7097257A8046DD02FC AT FDSVAST06SXCH01 DOT flooddata DOT net> <20080616210105 DOT GI731 AT calimero DOT vinschen DOT de> <20080616211352 DOT GK731 AT calimero DOT vinschen DOT de>
In-Reply-To: <20080616211352.GK731@calimero.vinschen.de>
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com 

--------------000100010301000108020500
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Corinna Vinschen wrote:
> Oh, btw., Charles, that's one for you.
> 
> On Jun 16 23:01, Corinna Vinschen wrote:
>> On May 13 11:09, Schutter, Thomas A. wrote:
>> The problem was that the domain sshd_server account has no right to
>> access the domain controller from the network.  Solution: Open the Local
>> Security Policy of the DC and look for the User Right "Deny access to
>> this computer from the network".  You'll find your sshd_server user in
>> there.  Remove it from this user right.  Try again:
> 
> This user right shouldn't be set anymore in the
> csih/cygwin-service-installation-helper.sh script.  Patch follows:
> 
> 	* Don't disallow network logon for service user account.

Here's the patch I applied, for csih-0.1.5:

--
Chuck


--------------000100010301000108020500
Content-Type: text/plain;
 name="csih-rights.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="csih-rights.patch"

diff -u -r1.7 -r1.8
--- cygwin-service-installation-helper.sh	14 Apr 2008 18:36:05 -0000	1.7
+++ cygwin-service-installation-helper.sh	19 Jul 2008 16:40:31 -0000	1.8
@@ -1636,14 +1636,13 @@
           # user not in Administrators group
           return 1
         else
-          editrights -l -u "${user}" | fgrep SeAssignPrimaryTokenPrivilege     >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeCreateTokenPrivilege            >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeTcbPrivilege                    >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeDenyInteractiveLogonRight       >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeDenyNetworkLogonRight           >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeDenyRemoteInteractiveLogonRight >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeIncreaseQuotaPrivilege          >/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeServiceLogonRight               >/dev/null 2>&1
+          editrights -u "${user}" -t SeAssignPrimaryTokenPrivilege     >/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeCreateTokenPrivilege            >/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeTcbPrivilege                    >/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeDenyInteractiveLogonRight       >/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeDenyRemoteInteractiveLogonRight >/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeIncreaseQuotaPrivilege          >/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeServiceLogonRight               >/dev/null 2>&1
           return # status of previous command-list
         fi
       fi
@@ -2106,7 +2105,6 @@
         editrights -a SeCreateTokenPrivilege -u ${username} &&
         editrights -a SeTcbPrivilege -u ${username} &&
         editrights -a SeDenyInteractiveLogonRight -u ${username} &&
-        editrights -a SeDenyNetworkLogonRight -u ${username} &&
         editrights -a SeDenyRemoteInteractiveLogonRight -u ${username} &&
         editrights -a SeIncreaseQuotaPrivilege -u ${username} &&
         editrights -a SeServiceLogonRight -u ${username} &&


--------------000100010301000108020500
Content-Type: text/plain; charset=us-ascii

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/
--------------000100010301000108020500--

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019