> -----Original Message----- > On May 12 18:29, Igor Peshansky wrote: > > On Mon, 12 May 2008, Schutter, Thomas A. wrote: > > > > > > -----Original Message----- > > > > From: Schutter, Thomas A. > > > > Sent: Monday, May 12, 2008 9:52 AM > > > > To: '[EMAIL PROTECTED]' > > > > <http://cygwin.com/acronyms/#PCYMTNQREAIYR>. > > > > > > Subject: Unable to run sshd under a domain sshd_server account > > > > > > > > I am having problems setting up sshd to run under a domain > sshd_server > > > > account instead of a local sshd_server account. > > > > [snip] > > > > But when I login via ssh: > > > > $ echo $USER > > > > tschutter > > > > $ echo $USERNAME > > > > sshd_server > > > > Yes -- Windows does not understand user impersonation and does not > allow > > real user switching. So what sshd does is invoke processes with the > > appropriate token privileges for the user it's impersonating, while > > updating internal Cygwin data structures, but still running as > > sshd_server. So Cygwin sees the right user (in its internal state), > but > > Windows processes, of course, don't. > > That's not correct. This problem cropped up on the list a lot already. > When not using password authentication, Cygwin has to create a user > token from scratch. The resulting processes are running under a normal > user token with correctly set user and group ownership.
Except that is not what I am seeing. When I run "id" from a console cygwin shell: $ id uid=18718(tschutter) gid=10513(Domain Users) groups=544(Administrators),545(Users),10513(Domain Users),18169(FDSV-GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins) But when I run "id" from a ssh shell: $ id uid=18718(tschutter) gid=10513(Domain Users) groups=545(Users),10513(Domain Users) So when I am using pubkey authentication, the user token is not a member of the "Administrators", "FDSV-GG-PrxBLD", or "FDSV-GG-PrxPCAdmins" groups. > What's missing > is a logon session for this user because only a LSA authentication > module can do that. As a result, the processes of the new user are > running in the logon session of the user running sshd. And here's the > problem. For some reason, the appropriate Windows functions like > LookupAcccountSid identify the user token's user SID incorrectly as the > user who's owning the logon session. And that's all: The connection > SID <-> Username is broken. The token itself is ok. Usually that's > not a big deal, except that some WIndows application stumble over that, > like some Visual Studio stuff. > The way to fix this is to use a special LSA authentication module which > will be available with the next major release of Cygwin. > > > Corinna -- Tom Schutter First American - Proxix Solutions (512) 977-6822 -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
