I got a chance to test the snapshot 2006-09-07. It does behave
differently, but still doesn't solve the problem. whoami now shows user
nt authority\system, whereas before the patch it showed sshd_server.
Both the snapshot and 1.5.21 show the correct SID for the domain user.
I also verified that if I add the user name explicitly to /etc/group for
each group it belongs to, other than the primary group, whoami reports
the correct domain user and access to network resources works properly.
Also, users that don't belong to any groups other than their primary
group (which seems to be Domain Users by default), don't exhibit this
problem (this is just a particular case of the previous statement).
Attached is the whoami output for the Windows 2003 computer running
1.5.21 plus the snapshot. If I can be of any help narrowing this down,
please let me know.
- Serban
From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
To: cygwin at cygwin dot com
Date: Thu, 31 Aug 2006 18:13:55 +0200
Subject: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami
sshd_server (password auth)
References: <[EMAIL PROTECTED]
<http://cygwin.com/ml/cygwin/2006-08/msg01056.html>
<http://cygwin.com/ml/cygwin/2006-08/msg01056.html>>
Reply-to: cygwin at cygwin dot com
On Aug 30 14:05, Serban Simu wrote:
So my questions would be:
(1) I did find a work around, but what is the explanation of this
problem and what is a good, solid work around?
After some debugging I found that the explanation is that sshd drops
all supplementary groups from the otherwise privileged user token. This
results in a minimized user token when calling initgroups, which
in turn calls NetUserGetGroups, which in turn returns "Access denied".
The solution is to drop back to the original process token before
calling NetUserGetGroups from initgroups. I've checked in a patch
which should be available in the next developers snapshot from
http://cygwin.com/snapshots/
A solid workaround if you're trying to get the same with the current
Cygwin: Add all users which want to log in this way to the gr_mem
field of the approrpiate groups in /etc/group. In your example case,
it would look like this:
Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:test1
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
- Serban Simu
Aspera Inc., Berkeley CA http://www.asperasoft.com
[EMAIL PROTECTED] (510) 849-2386
C:\aspera>ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password:
Last login: Fri Sep 29 11:16:35 2006 from olp
[EMAIL PROTECTED] ~
$ c:/windows/system32/whoami.exe /all
USER INFORMATION
----------------
User Name SID
=================== ==============================================
nt authority\system S-1-5-21-4293257363-1756470469-1603820055-1107
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============
==================================================
Everyone Well-known group S-1-1-0 Mandatory group,
Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group,
Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group,
Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group,
Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group,
Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ======================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
