On Feb 20 23:43, Corinna Vinschen wrote: > On Feb 20 23:36, Corinna Vinschen wrote: > > On Feb 20 22:49, Houder wrote: > > > On Wed, 20 Feb 2019 21:27:22, Andy Moreton wrote: > > > > > > > I've seen a similar failure, on a domain-joined Windows 10 box running > > > > cygsshd using a local cyg_server user account. I've fixed it by: > > > > 1) Open the "Computer Management" app > > > > Select "Services and Applications", then "Services", and > > > > choose the cygsshd service from the list. > > > > 2) Stop the service > > > > 3) Select the "Log On" tab, choose "Local System Account" and click OK. > > > > 4) Restart the service. > > > > > > > > This changed the account reported by "cygrunsrv -VQ" from "./cyg_server" > > > > to "LocalSystem". > > > > > > 64-@@ uname -a > > > CYGWIN_NT-6.1 Seven 3.0.1(0.338/5/3) 2019-02-20 10:19 x86_64 Cygwin > > > > > > First I replaced cygwin1.dll again w/ the last version, as you can see ... > > > > > > Then I carried out you instruction ... > > > > > > To my surprise it did the trick! Thank you! > > > > > > Perhaps Corinna can give a hint of why the modification made the > > > difference. > > > > Actually, I can't. I'm surprised, too, because it still runs > > fine for me under the cyg_server account. > > Actually, maybe I can. On second thought there's a quite high > probability that my AD cyg_server account I'm using for 10 years > or longer, has not the same privileges as a cyg_server account > created via ssh-host-config script. May it works for me because > of these extra permissions the account got during years of playing > around with it. > > I guess I have to crate another, local cyg_server account via > ssh-host-config and try the same with that account. > > Not having much time tomorrow, but at least on Friday I should > be able to test this.
I managed it today already but I'm somewhat stumped. I ran ssh-host-config and let the script install a new local account "test_server" to use for the sshd service. I started the service and tried to login with a local account and it just worked out of the box. However, when I tried to logon with a domain account, S4U failed since the local account didn't have enough permissions or so. The call to LsaLogonUser failed with STATUS_NOT_SUPPORTED. So with S4U sshd needs to run under SYSTEM or a privileged domain account to allow domain accounts to login. But from my POV S4U is the way to go. I'm still a bit proud that I managed to figure the "Create user token from scratch" method out back in 2001, but I think it's really outdated now and should not be used anymore. I'd hate having to enable it again generally. Corinna -- Corinna Vinschen Cygwin Maintainer
signature.asc
Description: PGP signature
