/I'm attaching the whoami results:
whoami-win.txt - whoami ran when logged on the Windows computer
directly (both OFFICE\test1 and SM2WIN2003\local1)
whoami-ssh.txt - whoami ran while ssh-ed in as the user test1 (in both
cases, with and without the Test User group in /etc/group) and user local1
The interesting observations are:
- when ssh-ed as user test1, the SID reported by whoami is the correct
SID of the user in both cases. In one case the name is correct, in the
other the name is sshd_server
- when ssh-ed as user test1 with the stripped off /etc/group such that
whoami displays the right user, the group information is almost
identical to whoami ran logged on directly through Windows, with the
exception of group LOCAL, missing.
(also forgot to mention, the credit for the idea of stripping off
/etc/group goes to Dave Perdue)
From/: "Larry Hall (Cygwin)" <reply-to-list-only-lh at cygwin dot com>/
To/: cygwin at cygwin dot com/
Date/: Wed, 30 Aug 2006 17:54:57 -0400/
Subject/: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami
sshd_server (password auth)/
References/: <[EMAIL PROTECTED]
<http://cygwin.com/ml/cygwin/2006-08/msg01056.html>>/
Reply-to/: cygwin at cygwin dot com
Serban Simu wrote:
I did notice a number of postings around this subject, but couldn't
see a resolution (Corinna answered a Feb '06 posting by Dave Perdue
that the problem should be fixed in 1.5.20, which is why I'm
reposting for 1.5.21).
I am exclusively using password auth (and am aware of the pubkey
auth limitations).
The basic setup is a Win 2003 R2 standard server, member of a domain
(machine name is SM2WIN2003 and domain is OFFICE). Installed 1.5.21
and ran ssh-host-config. All goes well and I have sshd service
running as local user sshd_server.
Then ran mkpasswd and mkgroup:
mkpasswd -l > /etc/passwd
mkpasswd -d >> /etc/passwd (I only have one domain so this is same
as mkpasswd -d OFFICE)
mkgroup -l > /etc/group
mkgroup -d >> /etc/group
If I ssh as a local user "local1", windows whoami returns
sm2win2003\local1
If I ssh as domain user "test1", windows whoami returns
sm2win2003\sshd_server (BAD)
If I strip the /etc/group file to only:
SYSTEM:S-1-5-18:18:
None:S-1-5-21-3712540747-3723856708-2352634044-513:513:
Domain Users:S-1-5-21-4293257363-1756470469-1603820055-513:10513:
Then ssh as domain user "test1", windows whoami returns office\test1
(GOOD)
Now, I tried adding the minimum possible to /etc/group to create the
problem, so if I just add one line:
SYSTEM:S-1-5-18:18:
None:S-1-5-21-3712540747-3723856708-2352634044-513:513:
Domain Users:S-1-5-21-4293257363-1756470469-1603820055-513:10513:
Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:
Then ssh as domain user "test1", windows whoami returns
sm2win2003\sshd_server (BAD)
My domain user test1 is a member of domain group Test Users.
So my questions would be:
(1) I did find a work around, but what is the explanation of this
problem and what is a good, solid work around?
(2) Is there a way and a plan to straighten this behavior, and maybe
document the usage in Win 2003 domain environments (I'm assuming
that most people would be interested in accessing network resources
in Win 2003 domains, which is why this is a problem in the first place)
Also, I believe that I didn't have this problem on older Win 2003
(before R2), but I no longer have a test setup to confirm it.
Attached is the full "whoami /all" output and cygcheck.out.
Interesting results. It would be interesting to see what "whoami /all"
reports for these users locally as well, without the sshd "filter". I
expect the issue at hand here is that one group for each user is the
primary group. My WAG is that "Test Users" is the primary group for
the user "test1". Off the top of my head, it's not clear how adding
the group to the '/etc/group' file changes things though.
--
Larry Hall http://www.rfk.com
RFK Partners, Inc. (508) 893-9779 - RFK Office
216 Dalton Rd. (508) 893-9889 - FAX
Holliston, MA 01746
##########################################################################
# Locally logged in user OFFICE\test1 #
##########################################################################
USER INFORMATION
----------------
User Name SID
============ ==============================================
office\test1 S-1-5-21-4293257363-1756470469-1603820055-1125
GROUP INFORMATION
-----------------
Group Name Type SID
Attributes
================================ ================
==============================================
===============================================================
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544
Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0
Mandatory group, Enabled by default, Enabled group
OFFICE\Test Users Group
S-1-5-21-4293257363-1756470469-1603820055-1123 Mandatory group, Enabled by
default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== =========================================
========
SeChangeNotifyPrivilege Bypass traverse checking
Enabled
SeSecurityPrivilege Manage auditing and security log
Disabled
SeBackupPrivilege Back up files and directories
Disabled
SeRestorePrivilege Restore files and directories
Disabled
SeSystemtimePrivilege Change the system time
Disabled
SeShutdownPrivilege Shut down the system
Disabled
SeRemoteShutdownPrivilege Force shutdown from a remote system
Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects
Disabled
SeDebugPrivilege Debug programs
Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values
Disabled
SeSystemProfilePrivilege Profile system performance
Disabled
SeProfileSingleProcessPrivilege Profile single process
Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority
Disabled
SeLoadDriverPrivilege Load and unload device drivers
Disabled
SeCreatePagefilePrivilege Create a pagefile
Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process
Disabled
SeUndockPrivilege Remove computer from docking station
Disabled
SeManageVolumePrivilege Perform volume maintenance tasks
Disabled
SeImpersonatePrivilege Impersonate a client after authentication
Enabled
SeCreateGlobalPrivilege Create global objects
Enabled
##########################################################################
# Locally logged in user SM2WIN2003\local1 #
##########################################################################
USER INFORMATION
----------------
User Name SID
================= ==============================================
sm2win2003\local1 S-1-5-21-3712540747-3723856708-2352634044-1009
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============
==================================================
Everyone Well-known group S-1-1-0 Mandatory group,
Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group,
Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group,
Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group,
Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group,
Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group,
Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group,
Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ======================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
#####################################################################
# LOGIN AS LOCAL USER local1 #
#####################################################################
C:\>ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password:
[EMAIL PROTECTED] ~$ C:/windows/system32/whoami /all
USER INFORMATION
----------------
User Name SID
================= ==============================================
sm2win2003\local1 S-1-5-21-3712540747-3723856708-2352634044-1009
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============
==================================================
Everyone Well-known group S-1-1-0 Mandatory group,
Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group,
Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group,
Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group,
Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group,
Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group,
Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ======================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
[EMAIL PROTECTED] ~
$ exit
logout
Connection to 192.168.3.54 closed.
#####################################################################
# LOGIN AS DOMAIN USER test1 (/etc/group has Test Users) #
#####################################################################
C:\>ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password:
Last login: Wed Aug 30 11:43:21 2006 from 192.168.1.12
[EMAIL PROTECTED] ~$ c:/windows/system32/whoami /all
USER INFORMATION
----------------
User Name SID
====================== ==============================================
sm2win2003\sshd_server S-1-5-21-4293257363-1756470469-1603820055-1125
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============
==================================================
Everyone Well-known group S-1-1-0 Mandatory group,
Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group,
Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group,
Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group,
Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group,
Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group,
Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== =========================================
=======
SeChangeNotifyPrivilege Bypass traverse checking
Enabled
SeImpersonatePrivilege Impersonate a client after authentication
Enabled
SeCreateGlobalPrivilege Create global objects
Enabled
SeSecurityPrivilege Manage auditing and security log
Enabled
SeBackupPrivilege Back up files and directories
Enabled
SeRestorePrivilege Restore files and directories
Enabled
SeSystemtimePrivilege Change the system time
Enabled
SeShutdownPrivilege Shut down the system
Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system
Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects
Enabled
SeDebugPrivilege Debug programs
Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values
Enabled
SeSystemProfilePrivilege Profile system performance
Enabled
SeProfileSingleProcessPrivilege Profile single process
Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority
Enabled
SeLoadDriverPrivilege Load and unload device drivers
Enabled
SeCreatePagefilePrivilege Create a pagefile
Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process
Enabled
SeUndockPrivilege Remove computer from docking station
Enabled
SeManageVolumePrivilege Perform volume maintenance tasks
Enabled
[EMAIL PROTECTED] ~
$ exit
logout
Connection to 192.168.3.54 closed.
#####################################################################
# LOGIN AS DOMAIN USER test1 (/etc/group doesn't have Test Users) #
#####################################################################
C:\Documents and Settings\asp1\Desktop>ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password:
Last login: Wed Aug 30 13:05:37 2006 from 192.168.1.12
[EMAIL PROTECTED] ~
$ c:/windows/system32/whoami /all
USER INFORMATION
----------------
User Name SID
============ ==============================================
office\test1 S-1-5-21-4293257363-1756470469-1603820055-1125
GROUP INFORMATION
-----------------
Group Name Type SID
Attributes
================================ ================
=====================================================================
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544
Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group
OFFICE\Test Users Group
S-1-5-21-4293257363-1756470469-1603820055-1123 Mandatory group, Enabled by
default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== =========================================
========
SeChangeNotifyPrivilege Bypass traverse checking
Enabled
SeSecurityPrivilege Manage auditing and security log
Disabled
SeBackupPrivilege Back up files and directories
Disabled
SeRestorePrivilege Restore files and directories
Disabled
SeSystemtimePrivilege Change the system time
Disabled
SeShutdownPrivilege Shut down the system
Disabled
SeRemoteShutdownPrivilege Force shutdown from a remote system
Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects
Disabled
SeDebugPrivilege Debug programs
Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values
Disabled
SeSystemProfilePrivilege Profile system performance
Disabled
SeProfileSingleProcessPrivilege Profile single process
Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority
Disabled
SeLoadDriverPrivilege Load and unload device drivers
Disabled
SeCreatePagefilePrivilege Create a pagefile
Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process
Disabled
SeUndockPrivilege Remove computer from docking station
Disabled
SeManageVolumePrivilege Perform volume maintenance tasks
Disabled
SeImpersonatePrivilege Impersonate a client after authentication
Enabled
SeCreateGlobalPrivilege Create global objects
Enabled
[EMAIL PROTECTED] ~
$ exit
logout
Connection to 192.168.3.54 closed.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
