On May 13 11:09, Schutter, Thomas A. wrote: > > -----Original Message----- > > On May 12 18:29, Igor Peshansky wrote: > > > On Mon, 12 May 2008, Schutter, Thomas A. wrote: > > > Yes -- Windows does not understand user impersonation and does not > > allow > > > real user switching. So what sshd does is invoke processes with the > > > appropriate token privileges for the user it's impersonating, while > > > updating internal Cygwin data structures, but still running as > > > sshd_server. So Cygwin sees the right user (in its internal state), > > but > > > Windows processes, of course, don't. > > > > That's not correct. This problem cropped up on the list a lot > already. > > When not using password authentication, Cygwin has to create a user > > token from scratch. The resulting processes are running under a > normal > > user token with correctly set user and group ownership. > > Except that is not what I am seeing. When I run "id" from a console > cygwin shell: > $ id > uid=18718(tschutter) gid=10513(Domain Users) > groups=544(Administrators),545(Users),10513(Domain > Users),18169(FDSV-GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins) > > But when I run "id" from a ssh shell: > $ id > uid=18718(tschutter) gid=10513(Domain Users) > groups=545(Users),10513(Domain Users) > > So when I am using pubkey authentication, the user token is not a member > of the "Administrators", "FDSV-GG-PrxBLD", or "FDSV-GG-PrxPCAdmins" > groups.
That wasn't what I was talking about. I was just referring to the assertion that Windows doesn't know about user impersonation or user switching. As for your user token, Cygwin tries to get information about the user by asking the local machine what local and global groups the user is member in. Some local groups are only in the user's group list, because one of the global grouyps is in turn member of a local group, which is probably the case for the Admin's group. For some reason your local machine doesn't return any of the information about the global domain groups your user is member in. Possible reasons are that retrieving the PDC for the user's domain fails, or that the PDC refuses to list the user's groups for some reason. That's something you would have to debug in your local installation. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
