Greetings, Jarek! >>>>> So why are they not needed as your comment doesn't really explain that >>>> Read 1.7.35 changelog. >>>> In short, username resolution was completely reworked, thanks to Corinna, >>>> and >>>> Cygwin now directly address domain controllers for it. >>> OK so it addresses DCs to check some settings or priviliges. I don't >>> suppose it just asks 'hey DS, can contoso\johnd access sshd on server1?' >> Indirectly, that can be done, i.e., by including a user in "SSH" group and >> allow only "DOMAIN+SSH" group to authorize on server. > I assume the group name is arbitrary and can be named anything.
Of course. I have a generic "RemoteUsers" group for all users that allowed remote access (VPN, SSH, etc.) > I went thrugh local rights on my sshserver and I see the Everyone, and > Users local groups have Allow to access this computer via network. > I take it the 'Act as part of the OS','Create a token object' and > 'Replace a process level token' rights are only for the account running > the sshd service. Yes, these are only used by service itself, and not propagated to the users connected. >> Verbose logging from both client and server may give some insight, too. > Here is what I get from the logs on the client when attempting to > connect with WinSCP Try using only username to login. Without domain prefix. And disable other auth mechanics, while you are testing namely I see it trying GSSAPI, which wouldn't work unless explicitly configured and allowed. Please attach long listings as files or provide links to pastebin service of your choice. -- With best regards, Andrey Repin Thursday, July 23, 2015 00:42:20 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple