This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: sshd authentication question


Good news. To check if the underlying problem is still
there, run your test program and see if the output of
"id" still lacks the global groups from time to time.
 
For the archives, here is yet another solution to be in
the local Admins group:
edit /etc/passwd and change the gid of the user to 544.
This has two possible drawbacks compared to what you did:
- /etc/passwd must be reedited each time it is regenerated
- Files will be created with gid 544, which may not be as desired.

Pierre

On Wed, Mar 24, 2004 at 01:40:38PM -0800, Matt Berney wrote:
> To follow up on this thread, I have added the 'Domain Administrator'
> to the local 'Administrators' group and the original problem with the
> ssh session not having 'admin privileges', went away....
> 
> Does this mean the problem was fixed?  Or that we aren't experiencing
> this 'intermittent symptom' today?  More extensive testing will be 
> required to make sure.
> 
> In the mean time, the 'Domain Admin' will be added to each server's 
> 'local Admin group' to work around this problem.
> 
> Thanks for everyone's comments.  They were helpful.
> 
> Matt Berney
> Software QA Engineer
> PolyServe, Inc.
> 
> 
> -----Original Message-----
> From: Matt Berney [mailto:mberney@polyserve.com]
> Sent: Thursday, March 18, 2004 4:39 PM
> To: Pierre A. Humblet; cygwin-get.89845@cygwin.com
> Cc: Matt Berney
> Subject: RE: sshd authentication question
> 
> 
> Interesting hypothesis.  This would explain alot.  I will add the 'Domain Administrator' to the local 'Administrators' group and see if that does the trick.
> 
> Thanks for all your help.
> 
> --Matt
> 
> 
> -----Original Message-----
> From: Pierre A. Humblet [mailto:pierre.humblet@ieee.org]
> Sent: Thursday, March 18, 2004 12:00 PM
> To: cygwin@cygwin.com
> Cc: Matt Berney
> Subject: Re: sshd authentication question
> 
> 
> On Thu, Mar 18, 2004 at 02:24:25PM -0500, Pierre A. Humblet wrote:
> > 
> > Here is another hypothesis. Cygwin gets the groups from a variety of
> > sources during setuid(). One of them is a call to NetUserGetGroups
> > to get the global groups from the logon server. 
> > Failure of that call does not call a failure of setuid, because it 
> > happens normally while running disconnected. So the problem could be
> > with your logon server or your LAN.
> > That hypothesis seems consistent with the outputs of your original
> > mail.
> > Fortunately there is a workaround: edit /etc/group and explicitly 
> > include the user in question in the groups that should contain him.
> 
> Looking back at your original mail, you report
> 
> *** Administrator on smoke3 ***
> 
> uid=10500(Administrator) gid=10513(Domain Users) groups=10512(Domain Admins),105
> 13(Domain Users),10519(Enterprise Admins),10520(Group Policy Creator Owners),105
> 18(Schema Admins),544(Administrators),545(Users)
> 
> When ssh works abnormally:
> 
>  *** Administrator on smoke3 *** 
> 
> uid=10500(Administrator) gid=10513(Domain Users) groups=10513(Domain Users),545(Users)
> 
> I assume you care mainly about group 544 membership. It looks like
> that membership derives from membership in one of the global groups
> 10512, 10519, 10520 and/or 10518. 
> If you care about all of them, include the user on the appropriate
> lines in /etc/group on the sshd machine. An alternative if you only
> care about 544 is to explicitly include 10500 as a member of the
> Administrators group in the Windows user manager on the sshd machine.
> The advantage is that you won't need to reedit /etc/group each time
> you regenerate it.
> 
> Pierre
> 
> 
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
> 

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]