X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-1.7 required=5.0 	tests=AWL,BAYES_00,SARE_MSGID_LONG40,SPF_PASS
X-Spam-Check-By: sourceware.org
MIME-Version: 1.0
From: Julio Costa <costaju AT gmail DOT com>
Date: Tue, 21 Apr 2009 14:56:49 +0100
Message-ID: <af075b00904210656p2e8005b6geaad28206f89c121@mail.gmail.com>
Subject: [openssh] service with domain user
To: Cygwin Mailing list <cygwin AT cygwin DOT com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Hi Cygwinners,

I've been struggling with an openssh instalation in a test
environment, with the following characteristics:
1) Host is a Windows 2003 sp2; So, privsep is enforced;
2) Installation of cygwin made with a domain user (local admin);
3) Main objective of sshd: file transfers and remote shell for either
domain users (regular or admin) and local users (restricted only);

After many tries and tests, I've come to the conclusion that for
achieving 3), the sshd deamon should run with a domain user; no
problem, we allocated one for that purpose.
But now I can't make ssh(d) work correctly. I used the "trick" of
adding the domain user to passwd and renaming it to cyg_server, and
indeed the service got installed with the correct domain user, no
questions asked (thanks, Corinna!).
But, that's the end of the story.
I can't make ssh work, and typically the message I see in logs is like
this: "sshd: PID 3572: fatal: seteuid 18606: Permission denied"

I thought that the correct permissions/privileges were assigned in the
ssh-host-config... isn't that so? How do I find what is missing?
Thanks for you help!

PS: I'm also seeing strange things coming from editrights - see these
(failed) attempts, that should give the same output:
# This is for context:
~ $ grep cyg_server /etc/passwd
cyg_server:unused:47000:10513:U-DOMAIN\SECSERVICE,S-1-5-21-682003330-2049760794-1801674531-37000:/home/SECSERVICE:/bin/bash

~ $ editrights -u cyg_server -l
Error in getSID (LsaLookupNames returned
0xc000018c=STATUS_TRUSTED_DOMAIN_FAILURE)!

~ $ editrights -u DOMAIN\\SECSERVICE -l
SeServiceLogonRight


Have Fun! (I'm not)
___________
Julio Costa

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/