Re: group"S-1-2-0"(users who login locally)in ssh;windows 2003

Tom Rodman Wed, 23 Aug 2006 11:53:37 -0700

On Wed 8/23/06 9:43 +0200 cygwin@cygwin.com wrote:
> On Aug 21 11:13, Tom Rodman wrote:
> > On Fri 8/18/06 16:28 +0200 cygwin@cygwin.com wrote:
> > > The trick using /etc/group only works for password-LESS authentication,
> > > sorry for not mentioning it, but usually the problems reported here are
> > > with passwordless authentication so I just assumed this is the case here, 
> > > too.  
> > 
> > A trick using /etc/group *does* work for password authentication - at
> > least for domain groups. We edit /etc/group, every day via a cron job -
> 
> Hmm, I'm a bit irritated since actually it can't work, at least not as
> you'd expect.  If a user token created by a password logon is not matching
> the groups you added it to, the token is treated as invalid.  This would
> happen, for instance, if the authenticating application (say, sshd), uses
> setgroups(2) with an entirely different set of groups.  The result is that
> a new token is created in Cygwin, which has nothing to do with the 
> orinal password token.  Especially the new token is missing the network
> credentials and the user is again running in the wrong logon session.
> This is all a bit tricky.  Right now, I don't know if it's possible to
> create a token with network credentials at all.


Thanks as always for responding Corinna.

I'm answering somewhat hurriedly, let me know if you need more specifics..

Here is empirical evidence that our password authenticated ssh
sessions benefit from daily automatic edits of /etc/group:

  $ whoami #we're now in a password authenticated session to server OurSrvr065
  adm_usr1
  $ pwd -P; mount |grep /adm
  /adm/sa/tmp
  \\OurSrvr063\tcm\adm on /adm type system (binmode,noexec)
  $ uname -a
  CYGWIN_NT-5.2 OurSrvr065 1.5.20s(0.155/4/2) 20060403 13:33:45 i686 Cygwin
  $ pwd -P; mount |grep /adm
  /adm/sa/tmp
  \\OurSrvr063\tcm\adm on /adm type system (binmode,noexec)
  $ grep adm_usr1 /etc/group|sed -eG  #sorry I'm not wrapping these lines
  
ABC_NA-CTX-Notepad-A:S-1-5-21-1390067357-1202660629-682003330-9858:19858:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root

  
ABC_NA-DOMxx0-tcm-Users-A:S-1-5-21-1390067357-1202660629-682003330-9968:19968:staffuser2,adm_usr1

  Domain 
Users:S-1-5-21-1390067357-1202660629-682003330-513:10513:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root

  
XYZ_BLD_MGR:S-1-5-21-1390067357-1202660629-682003330-6025:16025:staffuser2,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root

  
XYZ_ES_ADMIN:S-1-5-21-1390067357-1202660629-682003330-6026:16026:staffuser1,adm_usr1,adm_usr2,doejohn

  
XYZ_ES_STAFF:S-1-5-21-1390067357-1202660629-682003330-6027:16027:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root

  
XYZ_Users:S-1-5-21-1390067357-1202660629-682003330-6024:16024:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root

  $ id -G; id -Gn
  16027 544 19858 19968 10513 16025 16026 16024 545
  XYZ_ES_STAFF Administrators ABC_NA-CTX-Notepad-A ABC_NA-DOMxx0-tcm-Users-A 
Domain Users XYZ_BLD_MGR XYZ_ES_ADMIN XYZ_Users Users
  $ getfacl .
  # file: .
  # owner: staffuser2
  # group: XYZ_ES_STAFF
  user::rwx
  group::rwx
  mask:rwx
  other:rwx
  default:user::rwx
  default:group::rwx
  default:other:rwx
  $ dacl -s //OurSrvr063/tcm #an alias for "setacl", setacl dumps windows 
permissions for the share:
  + setacl -on '\\OurSrvr063\tcm' -ot shr -actn list -lst 
'f:tab;w:o,g,d,s;i:y;s:n'
  \\OurSrvr063\tcm

     Owner: BUILTIN\Administrators

     Group: DOMxx1\Domain Users

     DACL(not_protected):
     BUILTIN\Administrators   full   allow   no_inheritance
     DOMxx1\C200-DL-APP-XYZUsers   full   allow   no_inheritance
     Everyone   read   allow   no_inheritance
     DOMxx1\XYZ_Users   full   allow   no_inheritance
     DOMxx0\XYZ_USERS   full   allow   no_inheritance


  SetACL finished successfully.
  + set +x
  $ touch toss686867
  $ echo hi > toss686867  #writing to a file on a network share in a password 
autheticated ssh session
  $ ls -l toss686867
  -rw-rw-r-- 1 adm_usr1 XYZ_ES_STAFF 3 Aug 23 12:43 toss686867
  $ rm toss686867
  $ egrep '^XYZ_BLD_MGR' /etc/group #notice "adm_usr1" has been added, we will 
soon remove him..
  
XYZ_BLD_MGR:S-1-5-21-1390067357-1202660629-682003330-6025:16025:staffuser2,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root
  $ perl -pe 's~adm_usr1,~~ if (m{^XYZ_BLD_MGR});' /etc/group|grep XYZ_BLD_MGR
  
XYZ_BLD_MGR:S-1-5-21-1390067357-1202660629-682003330-6025:16025:staffuser2,adm_usr2,doejohn,crodmat,bcm_root
  $ cd /etc
  $ cp group /tmp
  $ perl -ibackup_wed01 -pe 's~adm_usr1,~~ if (m{^XYZ_BLD_MGR});' /etc/group 
#removing adm_usr1
  $ diff /etc/group /tmp #the perl /etc/group edit above will position next ssh 
session to fail..
  --- /etc/group  2006-08-23 12:47:50.840153600 -0500
  +++ /tmp/group  2006-08-23 07:10:33.525216000 -0500
  @@ -2214,7 +2214,7 @@
   SBE-CG_SBE_OFFICE:S-1-5-21-1390067357-1202660629-682003330-12336:22336:
   SBE-Everyone:S-1-5-21-1390067357-1202660629-682003330-12335:22335:
   SBE_Everyone:S-1-5-21-1390067357-1202660629-682003330-12337:22337:
  
-XYZ_BLD_MGR:S-1-5-21-1390067357-1202660629-682003330-6025:16025:staffuser2,adm_usr2,doejohn,crodmat,bcm_root
  
+XYZ_BLD_MGR:S-1-5-21-1390067357-1202660629-682003330-6025:16025:staffuser2,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root
   
XYZ_ES_ADMIN:S-1-5-21-1390067357-1202660629-682003330-6026:16026:staffuser1,adm_usr1,adm_usr2,doejohn
   
XYZ_ES_STAFF:S-1-5-21-1390067357-1202660629-682003330-6027:16027:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root
   
XYZ_Users:S-1-5-21-1390067357-1202660629-682003330-6024:16024:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root
  $ exit
  logout
  Connection to OurSrvr065 closed.
  --snip
  [12:49:24 Wed Aug 23 0j 36 2354 ~/Mail]
  [localhost rodmant]$ ssh OurSrvr065 -l adm_usr1
  [EMAIL PROTECTED]'s password:
  Last login: Wed Aug 23 12:48:54 2006 from 10.165.10.182
  Welcome to ITZG compile engine ..
  Could not chdir to home directory /user/adm_usr1: Permission denied
  -bash: /etc/profile: Permission denied
  -bash: /user/adm_usr1/.bash_profile: Permission denied
  -bash-3.00$ cd /etc
  -bash-3.00$ cat /tmp/group > group #adm_usr1 put back in domain group 16025 
again
  -bash-3.00$ exit # next ssh session will be able to write to network drives 
again
  logout
  -bash: /user/adm_usr1/.bash_logout: Permission denied
  Connection to OurSrvr065 closed.
  [12:50:02 Wed Aug 23 0j 36 2354 ~/Mail]
  [localhost rodmant]$ ssh OurSrvr065 -l adm_usr1  # start another password 
authenticated session
  [EMAIL PROTECTED]'s password:
  Last login: Wed Aug 23 12:49:39 2006 from 10.165.10.182
  Welcome to ITZG compile engine ..
  $ cd /adm/sa/tmp
  $ touch toss9879789
  $ echo hi >> toss9879789
  $

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: group"S-1-2-0"(users who login locally)in ssh;windows 2003

Reply via email to