X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Sat, 19 Jul 2008 19:12:35 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server 	account [SOLVED])
Message-ID: <20080719171235.GO5675@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <3B3EFBD49B94AD4DBB7B7097257A8046DD020D AT FDSVAST06SXCH01 DOT flooddata DOT net> <Pine DOT GSO DOT 4 DOT 63 DOT 0805121820090 DOT 11953 AT access1 DOT cims DOT nyu DOT edu> <20080513073720 DOT GA22193 AT calimero DOT vinschen DOT de> <3B3EFBD49B94AD4DBB7B7097257A8046DD02FC AT FDSVAST06SXCH01 DOT flooddata DOT net> <20080616210105 DOT GI731 AT calimero DOT vinschen DOT de> <20080616211352 DOT GK731 AT calimero DOT vinschen DOT de> <48821B9F DOT 6070907 AT cwilson DOT fastmail DOT fm>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <48821B9F.6070907@cwilson.fastmail.fm>
User-Agent: Mutt/1.5.16 (2007-06-09)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Jul 19 12:51, Charles Wilson wrote:
> Corinna Vinschen wrote:
>> Oh, btw., Charles, that's one for you.
>> On Jun 16 23:01, Corinna Vinschen wrote:
>>> On May 13 11:09, Schutter, Thomas A. wrote:
>>> The problem was that the domain sshd_server account has no right to
>>> access the domain controller from the network.  Solution: Open the Local
>>> Security Policy of the DC and look for the User Right "Deny access to
>>> this computer from the network".  You'll find your sshd_server user in
>>> there.  Remove it from this user right.  Try again:
>> This user right shouldn't be set anymore in the
>> csih/cygwin-service-installation-helper.sh script.  Patch follows:
>> 	* Don't disallow network logon for service user account.
>
> Here's the patch I applied, for csih-0.1.5:

Thanks Chuck.

However, I sent a second patch in
http://cygwin.com/ml/cygwin/2008-06/msg00453.html
The Interactive Logon Right is also necessary for this account.

What also doesn't work well is this:  In a domain I might want a
cyg_server domain account, rather than a local account on each
machine.  The reason is that the rights of the domain account can
be nicely controlled via group policy.  That won't work for local
accounts on the domain member machines.  Therefore, if a cyg_server
account exists in /etc/passwd, I think it should be used.


Thanks again,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/