On Wed 8/16/06 23:11 +0200 cygwin@cygwin.com wrote:
> On Aug 16 15:49, Tom Rodman wrote:
> > On Wed 8/16/06 14:44 CDT mwoehlke wrote:
> > > Tom Rodman wrote:
> > > > Hosts effected:
> > > >
> > > > several boxes running windows 2003 server w/cygwin
> > > > (1.5.20s(0.155/4/2) 20060403 13:33:45)
> > > >
> > > > Problem (or feature?):
> > > >
> > > > when you ssh to these boxes, and run:
> > > >
> > > > $WINDIR/system32/whoami /all |grep -q S-1-2-0 || echo OOPs # "OOPS"
> > > > echos :-<
> > > >
> > > > "S-1-2-0" == "Users who log on to terminals locally (physically)
> > > > connected to the system."
> > > > [...]
> > > FWIW, on my 2k3 box, I show up as a member in S-1-2-0 both logged in
> > > "locally" (via Remote Desktop Sharing, with which I have never had
> > > anything "not work") and via Cygwin sshd.
--snip
> Maybe there's a difference between password and pubkey authentication?
we're using password authentication.
> Or it's some security setting? I could easily imagine there's a switch
> in "local Security Settings" or "Domain Security Settings" which drops
> the LOCAL group from the token.
In windows, I ran secpol.msc, and browsed through it looking for something
obvious, nothing jumped out at me.
These boxes are in a large corporate domain, and they do change, and
"push down" domain policies from time to time (often without telling us).
> There's a lot of mysterious stuff in 2K3...
>
> Whatever it is, it must be something related to 2K3. Cygwin doesn't
> differ the different OSes in terms of authentication. I also have the
> LOCAL group as part of my user token on 2K3.
thx for checking, and letting me know
> Temporary Workaround: Add the user to the local group by adding them to
> a manually created entry in /etc/group:
>
> local:S-1-2-0:2:user1,user2,...
tried that.. no joy, take a look:
--v-v------------------C-U-T---H-E-R-E-------------------------v-v--
$ $WINDIR/system32/whoami /all #we're in an ssh session before edits made to
/etc/group
USER INFORMATION
----------------
User Name SID
========== =============================================
DOMxx1\adm_usr1 S-1-5-21-1390067357-1202660629-682003330-5774
GROUP INFORMATION
-----------------
Group Name Type SID
Attributes
================================ ================
==============================================
===============================================================
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544
Mandatory group, Enabled by default, Enabled group, Group
owner
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group
DOMxx1\XYZ_ES_ADMIN Group
S-1-5-21-1390067357-1202660629-682003330-6026 Mandatory group, Enabled by
default, Enabled group
DOMxx1\XYZ_ES_STAFF Group
S-1-5-21-1390067357-1202660629-682003330-6027 Mandatory group, Enabled by
default, Enabled group
DOMxx1\XYZ_BLD_MGR Group
S-1-5-21-1390067357-1202660629-682003330-6025 Mandatory group, Enabled by
default, Enabled group
DOMxx1\ABC_NA-CTX-Notepad-A Group
S-1-5-21-1390067357-1202660629-682003330-9858 Mandatory group, Enabled by
default, Enabled group
DOMxx1\ABC_NA-DOMxx0-tcm-Users-A Group
S-1-5-21-1390067357-1202660629-682003330-9968 Mandatory group, Enabled by
default, Enabled group
DOMxx1\XYZ_Users Group
S-1-5-21-1390067357-1202660629-682003330-6024 Mandatory group, Enabled by
default, Enabled group
DOMxx1\ABC_NA-DL-CTX-Notepad Users-A Alias
S-1-5-21-1390067357-1202660629-682003330-9857 Mandatory group, Enabled by
default, Enabled group
DOMxx1\CERTSVC_DCOM_ACCESS Alias
S-1-5-21-1390067357-1202660629-682003330-46949 Mandatory group, Enabled by
default, Enabled group, Local Group
DOMxx1\RILOE_SCM Alias
S-1-5-21-1390067357-1202660629-682003330-1339 Mandatory group, Enabled by
default, Enabled group, Local Group
DOMxx1\C200-DL-APP-SCMUsers Alias
S-1-5-21-1390067357-1202660629-682003330-55557 Mandatory group, Enabled by
default, Enabled group, Local Group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description
State
=============================== =========================================
========
SeChangeNotifyPrivilege Bypass traverse checking
Enabled
SeSecurityPrivilege Manage auditing and security log
Disabled
SeBackupPrivilege Back up files and directories
Disabled
SeRestorePrivilege Restore files and directories
Disabled
SeSystemtimePrivilege Change the system time
Disabled
SeShutdownPrivilege Shut down the system
Disabled
SeRemoteShutdownPrivilege Force shutdown from a remote system
Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects
Disabled
SeDebugPrivilege Debug programs
Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values
Disabled
SeSystemProfilePrivilege Profile system performance
Disabled
SeProfileSingleProcessPrivilege Profile single process
Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority
Disabled
SeLoadDriverPrivilege Load and unload device drivers
Disabled
SeCreatePagefilePrivilege Create a pagefile
Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process
Disabled
SeUndockPrivilege Remove computer from docking station
Disabled
SeManageVolumePrivilege Perform volume maintenance tasks
Disabled
SeImpersonatePrivilege Impersonate a client after authentication
Enabled
SeCreateGlobalPrivilege Create global objects
Enabled
$ grep S-1-2-0 /etc/group
$ echo local:S-1-2-0:2:adm_usr1 >> /etc/group
$ wc -l /etc/group
2691 /etc/group
$ exit
logout
Connection to OurSrvr065 closed.
[16:02:33 Thu Aug 17 0j 36 2354 ~/Mail]
[localhost rodmant]$ ssh OurSrvr065 -l adm_usr1 #~adm_usr1 is on a remote
share
[EMAIL PROTECTED]'s password:
Last login: Thu Aug 17 15:58:07 2006 from 10.165.10.182
Welcome to ITZG compile engine ..
Could not chdir to home directory /user/adm_usr1: Permission denied
-bash: /etc/profile: Permission denied
-bash: /user/adm_usr1/.bash_profile: Permission denied
-bash-3.00$ $WINDIR/system32/whoami /all #notice whoami shows wrong user name:
USER INFORMATION
----------------
User Name SID
===================== =============================================
OurSrvr065\sshd_server S-1-5-21-1390067357-1202660629-682003330-5774
GROUP INFORMATION
-----------------
Group Name Type SID
Attributes
================================ ================
=============================================
==================================================
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6
Mandatory group, Enabled by default, Enabled group
DOMxx1\ABC_NA-CTX-Notepad-A Group
S-1-5-21-1390067357-1202660629-682003330-9858 Mandatory group, Enabled by
default, Enabled group
DOMxx1\ABC_NA-DOMxx0-tcm-Users-A Group
S-1-5-21-1390067357-1202660629-682003330-9968 Mandatory group, Enabled by
default, Enabled group
DOMxx1\XYZ_BLD_MGR Group
S-1-5-21-1390067357-1202660629-682003330-6025 Mandatory group, Enabled by
default, Enabled group
DOMxx1\XYZ_ES_ADMIN Group
S-1-5-21-1390067357-1202660629-682003330-6026 Mandatory group, Enabled by
default, Enabled group
DOMxx1\XYZ_ES_STAFF Group
S-1-5-21-1390067357-1202660629-682003330-6027 Mandatory group, Enabled by
default, Enabled group
DOMxx1\XYZ_Users Group
S-1-5-21-1390067357-1202660629-682003330-6024 Mandatory group, Enabled by
default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544
Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description
State
=============================== =========================================
=======
SeChangeNotifyPrivilege Bypass traverse checking
Enabled
SeImpersonatePrivilege Impersonate a client after authentication
Enabled
SeCreateGlobalPrivilege Create global objects
Enabled
SeSecurityPrivilege Manage auditing and security log
Enabled
SeBackupPrivilege Back up files and directories
Enabled
SeRestorePrivilege Restore files and directories
Enabled
SeSystemtimePrivilege Change the system time
Enabled
SeShutdownPrivilege Shut down the system
Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system
Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects
Enabled
SeDebugPrivilege Debug programs
Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values
Enabled
SeSystemProfilePrivilege Profile system performance
Enabled
SeProfileSingleProcessPrivilege Profile single process
Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority
Enabled
SeLoadDriverPrivilege Load and unload device drivers
Enabled
SeCreatePagefilePrivilege Create a pagefile
Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process
Enabled
SeUndockPrivilege Remove computer from docking station
Enabled
SeManageVolumePrivilege Perform volume maintenance tasks
Enabled
-bash-3.00$
> Corinna
>
> --
> Corinna Vinschen Please, send mails regarding Cygwin to
> Cygwin Project Co-Leader cygwin AT cygwin DOT com
> Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
