> -----Original Message----- > From: Schutter, Thomas A. > Sent: Monday, May 12, 2008 9:52 AM > To: 'cygwin@cygwin.com' > Subject: Unable to run sshd under a domain sshd_server account > > I am having problems setting up sshd to run under a domain sshd_server > account instead of a local sshd_server account. > > Why do I want to do that? Because in the default install, starting a > cygwin shell from the console gives me a much different environment and > permissions than if I start a cygwin shell via ssh. For example, from > a console shell on the Windows 2003 Server: > $ echo $USER > tschutter > $ echo $USERNAME > tschutter > $ echo $HOSTNAME > fdsvbld01sgrape > $ echo $USERDOMAIN > FLOODDATA > $ id > uid=18718(tschutter) gid=10513(Domain Users) > groups=544(Administrators),545(Users),10513(Domain Users),18169(FDSV- > GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins) > $ ls //other/f$ > Data RECYCLER System\ Volume\ Information > > But when I login via ssh: > $ echo $USER > tschutter > $ echo $USERNAME > sshd_server > $ echo $HOSTNAME > fdsvbld01sgrape > $ echo $USERDOMAIN > FDSVBLD01SGRAPE > $ id > uid=18718(tschutter) gid=10513(Domain Users) > groups=545(Users),10513(Domain Users) > $ ls //other/f$ > ls: cannot access //other/f$: Permission denied > > The sshd server was setup using "ssh-host-config --yes". So it appears > that when I login via ssh, I am logged in as a local user, not a domain > user. Also, when logged in via ssh, I am not in the Administrators, > FDSV-GG-PrxBLD, and FDSV-GG-PrxPCAdmins groups. As a side note, I > would think that USERNAME being set to sshd_server is a bug. > > It appears that the solution is to create a domain sshd_server account > and run sshd as that user. So I created a domain account called "fdsv- > sa-prx-sshdsrvr". I gave this account the required rights: > $ editrights -a SeCreateTokenPrivilege -u fdsv-sa-prx-sshdsrvr > $ editrights -a SeTcbPrivilege -u fdsv-sa-prx-sshdsrvr > $ editrights -a SeDenyInteractiveLogonRight -u fdsv-sa-prx-sshdsrvr > $ editrights -a SeDenyNetworkLogonRight -u fdsv-sa-prx-sshdsrvr > $ editrights -a SeDenyRemoteInteractiveLogonRight -u fdsv-sa-prx- > sshdsrvr > $ editrights -a SeIncreaseQuotaPrivilege -u fdsv-sa-prx-sshdsrvr > $ editrights -a SeServiceLogonRight -u fdsv-sa-prx-sshdsrvr > > I added fdsv-sa-prx-sshdsrvr to local "Administrators" group. > > I changed the ownership of the /etc/ssh files and /var/empty: > $ chown fdsv-sa-prx-sshdsrvr /etc/ssh* /var/empty > > I changed the log on account for the "CYGWIN sshd" service to the fdsv- > sa-prx-sshdsrvr account. > > I then tried to start the service: > $ net start sshd > The CYGWIN sshd service is starting. > The CYGWIN sshd service could not be started. > > The service did not report an error. > > More help is available by typing NET HELPMSG 3534. > > The application event log has this error message: > The description for Event ID ( 0 ) in Source ( sshd ) cannot be > found. The local computer may not have the necessary registry > information or message DLL files to display messages from a remote > computer. You may be able to use the /AUXSOURCE= flag to retrieve this > description; see Help and Support for details. The following > information is part of the event: sshd: PID 2068: service `sshd' > failed: signal 11 raised. > > I have attached the output from "cygcheck -s -v -r" as grape- > cygcheck.out. > > So where do I go from here? What am I missing?
First, I am sorry that I broke the original thread. I was not subscribed to the list when I made the first post, so I was unable to reply to that thread. I solved the problem. I had missed the /var/log files when changing ownership to the new domain sshd_server account. The chown command above should be: chown fdsv-sa-prx-sshdsrvr /etc/ssh* /var/empty /var/log/lastlog /var/log/sshd.log Now the sshd server starts, and when I login my id is correct, and I can view shares: $ echo $USERDOMAIN FLOODDATA $ id uid=18718(tschutter) gid=10513(Domain Users) groups=544(Administrators),545(Users),10513(Domain Users),18169(FDSV-GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins) $ ls //other/f$ Data RECYCLER System\ Volume\ Information Note that my USERNAME is still wrong: $ echo $USERNAME fdsv-sa-prx-sshdsrvr Although this method of creating and using a domain sshd_server account is not one of the recommended workarounds, it appears to work. In the other thread, Larry Hall pointed me to the FAQ http://cygwin.com/faq/faq-nochunks.html#faq.using.shares. One of the suggestions was to "provide your password to a net use command". I was unable to make that work, because "net use" never asks for my password: $ net use \\other\f$ System error 67 has occurred. The network name cannot be found. As Larry Hall pointed out in the other thread, the cyglsa dll should solve this problem and I look forward to trying it out when 1.7.x is available. I am not ready to jump to snapshots at this time. -- Tom Schutter First American - Proxix Solutions (512) 977-6822 -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
