X-Recipient: archive-cygwin AT delorie DOT com X-Spam-Check-By: sourceware.org Date: Thu, 13 Nov 2008 11:35:43 +0100 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: sshd on vista error "initgroups: Permission denied" (cygwin-1.7) Message-ID: <20081113103543.GM17719@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <95155 DOT 1226537859 AT maeder DOT org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <95155.1226537859@maeder.org> User-Agent: Mutt/1.5.16 (2007-06-09) Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com On Nov 12 16:57, Herb Maeder wrote: > On 10 Nov 2008 15:48:15 +0100, Corinna Vinschen wrote: > [...] > Am I correct in assuming that you would need to have access to an account > with Domain Administrator privileges in order to allow multiple domain > users to ssh into a 1.7 vista machine? I'm not quite sure about this. I don't claim to understand all the does and dont's of Windows domains either. However, I have a working result by creating a domain account with the required permissions called cyg_server, then create a cyg_server entry in passwd using mkpasswd, then start ssh-host-coonfig. > And if you don't have access to such an account, the best you can do is > fire up sshd as yourself (or perhaps one sshd per user on different ports)? > I'm guessing that will allow you and local users to ssh in (assuming your > domain account has local administrator access). > > Looking ahead, I suspect that this combo (sshd + 1.7 + vista + domain user) > will be pretty common. Is there a plan for steering users in the right > direction during the setup of sshd, or maybe giving a more descriptive > error message? The ssh-host-config script only covers the simpler approaches for home users. Right now, a professional administrator for a Windows domain will have to know a bit, or ask here. Ideally, somebody would take a heart and - Add more code to ssh-host-config to allow more smooth operations in a domain environment. - Add to the documentation to explain the problems. But right now that won't be me. > > 1. Yes, ssh-host-config has to be run elevated, as with all applications > > requiring actual admin privileges. There's no way to elevate a child > > process running in the same console window. Microsoft tweaked the > > ShellExecute() call in shell32.dll heavily to allow the UAC stuff, > > but neglected to allow applications using the CreateProcess() call to > > do the same. ShellExecute is not an option to use in Cygwin processes. > > Bum deal. But thanks for the explanation. That clarifies what I was > seeing. Actually there is a way to elevate a console application which is the manifest file. Unfortunately this only works for executables, not for scripts. I didn't try it myself, but maybe something like this works: $ cd /bin $ cp bash.exe bash-elevated.exe $ sed 's/nstall\.exe/bash-elevated.exe/g' < install.exe > bash-elevated.exe.manifest $ sed '1s/bash/bash-elevated/' < ssh-host-config > ssh-host-config-elevated $ ssh-host-config-elevated Sometimes adding a manifest file to an executable doesn't work immediately due to some cashing in Windows but basically this should work. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/