| www.delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:from:to:subject:references:date:in-reply-to | |
| :message-id:mime-version:content-type; q=dns; s=default; b=XPohk | |
| XgIu5f+nMS/0j9bw5X2qiRd4tCwDCeuzvuoNYkAbJU8/VLbQHNtm4nGOcPfm5OIn | |
| /ozNUIEAyDnz7vo9I1qHOBuMWHy7dLTJP/Boq7Azt6yRzJvzTUraLUqD7eb0wHnN | |
| k0T0P9Mu/IZNqqNtXA0DAIpd9Xqm6iWZnhxzxc= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:from:to:subject:references:date:in-reply-to | |
| :message-id:mime-version:content-type; s=default; bh=PX0fQC2oEMt | |
| +1O6glovXHiVClRk=; b=BIkG2q/9P7ZsHThxV6QuPbv3FMHIdL0ewtNsdkbTEQ+ | |
| ftFthzyaA/t66mO/SzaKf+ZN7ILJJ48aWzy9yNWAqvMI+RKYXDmLx9T79ThYrRdq | |
| tJuYiCQ1qSt2wqZnoRoYpkSzwULiaexmD3/cyeZOja+rKWi2OxSBgyGKcVHe2gIM | |
| = | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-4.6 required=5.0 tests=AWL,BAYES_50,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 |
| X-HELO: | mail-in-08.arcor-online.net |
| X-DKIM: | Sendmail DKIM Filter v2.8.2 mail-in-10.arcor-online.net AB11A2D6457 |
| From: | Achim Gratz <Stromeko AT nexgo DOT de> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: LDAP integration and sshd |
| References: | <loom DOT 20140625T141552-513 AT post DOT gmane DOT org> <20140625130727 DOT GQ1803 AT calimero DOT vinschen DOT de> |
| Date: | Wed, 25 Jun 2014 20:06:49 +0200 |
| In-Reply-To: | <20140625130727.GQ1803@calimero.vinschen.de> (Corinna Vinschen's message of "Wed, 25 Jun 2014 15:07:27 +0200") |
| Message-ID: | <87simsrhhi.fsf@Rainer.invalid> |
| User-Agent: | Gnus/5.13 (Gnus v5.13) Emacs/24.3.91 (gnu/linux) |
| MIME-Version: | 1.0 |
Corinna Vinschen writes:
> You read my preliminary doc, I hope? I attached it again, for
> completeness. But, here's what happens:
I guess I read it at one time, but not specifically today. :-)
> If you're in a domain, and the sshd user account is local, the local
> sshd account will be prefixed with the local machine name, like this:
>
> MACHINE+sshd
>
> OpenSSH's sshd looks for an account called "sshd", so in the above
> scenario, it will fail to find sshd. There are three workarounds:
The fourth:
mkpasswd -l | awk '/sshd:/{gsub("^[^+]*\\+", "");print;}' >> /etc/passwd
> - Switch off privilege separation in /etc/sshd_config.
Not going to do that if I can help it.
> - Create an unprivileged "sshd" user in your primary domain. Since
> this account is unprefixed by default, sshd will find the user
> account and happily use it.
That might actually be the best idea since the account doesn't need any
privileges at all. I'll have to ask our domain admins.
> - Build your own OpenSSH package with the following patch applied:
With the workarounds available, I'm not trying.
> I have not the faintest idea how to get Kerberos auth working with
> OpenSSH, sorry. The problem in case of using the AD stuff might be
> related to the username prefixing. Kerberos probably doesn't understand
> the prefix separator char (the '+' sign by default).
At the moment the problem seems to be that some part of the necessary
config is missing. I'm getting into the right realm, but then things
fall apart.
>> Putting the public keys elsewhere would also work,
>> but it isn't clear to me how to configure that.
N.B.: This can be done in /etc/sshd_config with an absolute path and
judicious use of the %u token. Doesn't help though, since after logging
in via public key the user doesn't have an LDAP ticket and is thus
unable to have the home share mounted. This appeared to work during the
initial test since the server still had a ticket cached from a previous
RDP session.
> Does it work better with the passwd -R method?
>
> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd3
I didn't get it to work yet. I suppose that I need to somehow pass
"CYGWIN=ntsec" environment via cygrunserv? My initial config had CYGWIN
empty, which probably means I'll have to re-install the service. BTW,
I#ve managed to gothrough some SID until I've had a working config, is
there any way to reset this counter when deleting a user?
Do I read this correctly that the password itself gets stored and not an
NTLM(v2) hash?
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
Wavetables for the Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#BlofeldUserWavetables
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |