This is the mail archive of the
cygwin@cygwin.com
mailing list for the Cygwin project.
Re: NTsec permissions issue over inet
YIKES!!!!! There it is, and right there in the users guide no less....
not only that, but in a section I've actually read a number of
times!!!!!..... Well, that does explain almost everything that is going on
( though, it seems to have gotten even tighter since the 1.3.12 release
that allows me to access net drives if I specify a passwd during rlogin( as
mentioned below)). The perl script is actually running as a service; as a
user with net access rights.
I hate to ask this without looking at the inetd/xinetd code first: But is
there any chance that context switching will be "fixed" to allow net access
too someday? Or is there an easy way to rebuild inetd in such a way that I
could run it as a network user (rather than SYSTEM) and allow it to
interact with net drives directly ?( I've tryed this, but without much
luck). If I may be so impertinent, this seems somewhat un-UNIX like
behavior. I was VERY close to unifying our maintenance and process scripts
for all of our Unix and windows machines using cygwin, but since virtually
every process we use in house is accessed via an nfs or smb network link (
at times upwards of 3000 mounts at a time).... We currently control 2400
various Unix boxes with rsh/rlogin, and given the robustness of cygwin
currently, about the only thing keeping us from adding the 700 ( and
climbing) windows boxes to this, is this issue.
If anyone has any suggestions ( aside from " move over to Linux" , or "
convert everything to windows") I'd really appreciate it.. In any case,
Thanks Igor, for the time spent already..
Bruce D.
----- Original Message -----
From: "Igor Pechtchanski" <pechtcha@cs.nyu.edu>
To: "Bruce Dobrin" <dobrin@imageworks.com>
Cc: <cygwin@cygwin.com>
Sent: Monday, June 02, 2003 5:24 PM
Subject: Re: NTsec permissions issue over inet
> Umm, Bruce, you aren't trying to access network shares from a session you
> did with passwordless authentication, are you? Because if you are, it's
> not going to work (see
<http://cygwin.com/cygwin-ug-net/ntsec.html#NTSEC-RELEASE1.3.3>).
>
> I've also found that even if you log in through telnet or ssh, you
> sometimes need to issue an explicit "net use" command to get access to
> network shares... Try that, and see if it helps.
>
> I'm guessing the perl script runs as yourself from a session that
> already accessed the share...
> Igor
>
> On Mon, 2 Jun 2003, Bruce Dobrin wrote:
>
> > I tried executing a the command via a socket directly: by asigning a
script
> > via inet.conf, it still gave me permission denied. I turned off
> > inetd/xinetd and hacked together a server with perl to exec the same
script
> > and it had no permission problems. it looks like a problem common to
inetd
> > and xinetd but not cygwin specifically:
> >
> > EXAMPLE:
> >
> > ######(socket 1824 defined in inetd.conf and /etc/services file)
> >
> > dobrin@THEODOLITE:/home/dobrin>telnet castro 1824
> > responds:
> > pwd
> > /c/WINNT/system32
> > ls -al //matilda/setup
> > ls: //matilda/setup: No such file or directory
> > /c/WINNT/system32/dfscmd.exe /view \\\\dfsmaster\\dfsshare > poop
> > cat poop
> > System error 1355 has occurred.
> > The specified domain either does not exist or could not be contacted.
> >
> > #######( perl script listening on socket 2345 )
> >
> > dobrin@THEODOLITE:/home/dobrin>telnet castro 2345
> > responds:
> > pwd
> > /home/dobrin
> > ls -al //matilda/setup
> > drwxrwxrwx+ 1 Administ Domain A 32768 May 30 18:45 .
> > drwxrwxrwx+ 1 Administ Domain A 0 May 8 14:07 2ksrv_image
> > drwxrwxrwx+ 1 Administ Domain A 0 Feb 27 20:55 3dmaxupdate
> > drwxrwxrwx+ 1 Administ Domain A 0 Mar 26 11:08 ACDSee
> > .........
> > /c/WINNT/system32/dfscmd.exe /view \\\\dfsmaster\\dfsshare > poop
> > cat poop
> > \\DFSMASTER\dfsroot
> > \\DFSMASTER\dfsroot\shots\vol780
> > \\DFSMASTER\dfsroot\pipe\usr_pasquini\trash
> > The command completed successfully.
> >
> >
> > ----- Original Message -----
> > From: "Bruce Dobrin" <dobrin@imageworks.com>
> > To: "Banville, Stephen" <Stephen.Banville@sycamorenet.com>;
> > <cygwin@cygwin.com>
> > Sent: Monday, June 02, 2003 12:37 PM
> > Subject: Re: NTsec permissions issue over inet
> >
> >
> > > hmmm, still experimenting: thought it might have something to do
with
> > > inetd and mounts, but I also tried rlogin to <localhost> which is
> > > running init and xinetd and issueing a dfscmd:
> > >
> > > dobrin@THEODOLITE:/home/dobrin> dfscmd /view \\\\dfsmaster\\dfsshare
> > > \\DFSMASTER\dfsroot
> > > \\DFSMASTER\dfsroot\shots\vol780
> > > \\DFSMASTER\dfsroot\pipe\usr_pasquini\trash
> > > The command completed successfully.
> > > dobrin@THEODOLITE:/home/dobrin> rsh localhost
> > > Last login: Mon Jun 2 12:30:41 from THEODOLITE.spimageworks.com
> > > Fanfare!!!
> > > You are successfully logged in to this server!!!
> > > dobrin@THEODOLITE:/home/dobrin> dfscmd /view \\\\dfsmaster\\dfsshare
> > > System error 5 has occurred.
> > >
> > > Access is denied.
> > >
> > > :::: still confused...
> > >
> > >
> > > ----- Original Message -----
> > > From: "Banville, Stephen" <Stephen.Banville@sycamorenet.com>
> > > To: <cygwin@cygwin.com>; "Stephen Banville" <sbanville@attbi.com>
> > > Cc: "'Bruce Dobrin'" <dobrin@imageworks.com>; "Banville, Stephen"
> > > <Stephen.Banville@sycamorenet.com>
> > > Sent: Monday, June 02, 2003 5:32 AM
> > > Subject: RE: NTsec permissions issue over inet
> > >
> > > > Igor,
> > > > I tried settting smbntsec and it did not work. With older version I
> > > > used to just set ntsec, make the passwd and group files, and
> > > > everything would just work the way I would expect. Something has
> > > > changed in the way cygwin handles NT security. I am running a
> > > > generic version of windows 2000 with no thrid party filesys drivers.
> > > > I don't believe that it's aproblem with my configuration because
> > > > older version of Cygwin have worked just fine. As of now all
> > > > suggestions have not been successful. It sounds like a new bug has
> > > > been introduced surrounding NT security.
> > > >
> > > > Steve
> > > >
> > > > -----Original Message-----
> > > > From: Igor Pechtchanski [mailto:pechtcha@cs.nyu.edu]
> > > > Sent: Sunday, June 01, 2003 7:30 PM
> > > > To: Stephen Banville
> > > > Cc: 'Bruce Dobrin'; cygwin@cygwin.com;
stephen.banville@sycamorenet.com
> > > > Subject: RE: NTsec permissions issue over inet
> > > >
> > > >
> > > > Steve,
> > > >
> > > > On Windows, if you use the Windows sharing mechanism (instead of a
> > > > proprietary filesystem driver), your shares are SMB shares (which
stands
> > > > for Server Message Block, IIRC). The 'smbntsec' option is designed
for
> > > > those kinds of shares. If you do have a proprietary filesystem
driver,
> > > > Cygwin most likely doesn't have any support for recognizing the
security
> > > > attributes on that. <http://cygwin.com/acronyms/#PTC>. It's also
> > > > possible that the filesystem driver that you have is partly
compatible
> > > > with the NTFS or SMB security, and some addition to the Cygwin
codebase
> > > > to deal better with one or the other has accesses to features that
> > > > aren't available on your filesystem, so it stopped working.
> > > >
> > > > Your login problem has nothing to do with the above. Unlike Linux,
where
> > > > anyone can run "su" or "login", Windows NT variants require the user
to
> > > > have extra privileges to be able to switch user context (create an
access
> > > > token belonging to someone else).
> > > > <http://cygwin.com/cygwin-ug-net/ntsec.html#NTSEC-SETUID> should
explain
> > > > this somewhat.
> > > > Igor
> > > >
> > > > On Sun, 1 Jun 2003, Stephen Banville wrote:
> > > >
> > > > > HI Bruce,
> > > > >
> > > > > The reason I don't have smbntsec set is because the remote
> > > > > volumes are not Samba Shares. The interesting thing here is that
when
> > > > > I ran an older version of Cygwin, this functionality would work
just
> > > > > fine.
> > > > > I also tried the passwd trick (which didn't work as well.) I can't
> > > > > imagine what the problem could be ? At this time I am running out
of
> > > > > ideas. My only hope at this time would be to enable some sort of a
> > > > > debug
> > > > > trace to see what component is actually failing during the login.
> > > > > Another interesting point to mention is that when I run the
'login'
> > > > > command within the shell, I cannot log in under my user name
defined
> > > > > in
> > > > > the /etc/passwd file. Any ideas why this would ? This could
somehow be
> > > > > related to my problem.
> > > > >
> > > > > Any help would be welcomed!!
> > > > >
> > > > > Steve
> > > > >
> > > > > -----Original Message-----
> > > > > From: cygwin-owner@cygwin.com [mailto:cygwin-owner@cygwin.com] On
Behalf
> > > > > Of Bruce Dobrin
> > > > > Sent: Friday, May 30, 2003 8:20 PM
> > > > > To: cygwin@cygwin.com
> > > > > Subject: Re: NTsec permissions issue over inet
> > > > >
> > > > > OK, further testing, I can't get the below rlogin "trick" to
work on
> > > > > a
> > > > > 1.3.22 machine, the one it worked on is actually a 1.3.12
machine.
> > > > > so,
> > > > > with 1.3.12 I can get it to work by forcing a password entry, but
> > > > > this
> > > > > appears not to work with a 1.3.22 machine........
> > > > > continuing more confused than ever...
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Bruce Dobrin" <dobrin@imageworks.com>
> > > > > To: <cygwin@cygwin.com>
> > > > > Sent: Friday, May 30, 2003 4:46 PM
> > > > > Subject: Re: NTsec permissions issue over inet
> > > > >
> > > > >
> > > > > > Sorry, On re-reading that, it's not as clear as it could be, the
> > > > > > example used in the previous e-mail ( below) was on a later
> > > > > > version of cygwin, it is not the 1.3.2 machine referred to
> > > > > > earlier in the message.
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Bruce Dobrin" <dobrin@imageworks.com>
> > > > > > To: <cygwin@cygwin.com>
> > > > > > Cc: <cygwin@cygwin.com>
> > > > > > Sent: Friday, May 30, 2003 4:37 PM
> > > > > > Subject: Re: NTsec permissions issue over inet
> > > > > >
> > > > > >
> > > > > > > Thanks for responding Larry,
> > > > > > >
> > > > > > > I actually had tried most permutations of (no)ntsec,
> > > > > > > (no)smbntsec, (no)ntea, etc... and on other machines that
> > > > > > > didn't have weird path or passwd entries. -- no dice
> > > > > > >
> > > > > > > I think I may have a good hint as to what is going on, but
> > > > > > > I'll need someone who knows the system better than I to figure
> > > > > > > out the solution.
> > > > > > >
> > > > > > > By the way I have around 300 machines here, and I found one
> > > > > > > which is running cygwin1.3.2 and which works fine. This leads
> > > > > > > me to think that it is something to do with the hosts.equiv
> > > > > > > functionality which I believe was non functional before at
> > > > > > > 1.3.2 ( at least I didn't use it here). I found machine that
> > > > > > > if I : forced the user to use a password and I set some
> > > > > > > permutations of the permissions... it then works: example:
> > > > > > >
> > > > > > > dobrin@THEODOLITE:/home/dobrin> rsh gable3
> > > > > > > Fanfare!!!
> > > > > > > ..........
> > > > > > > dobrin@GABLE3:/home/dobrin> echo $CYGWIN
> > > > > > > ntea nontsec smbntsec
> > > > > > > dobrin@GABLE3:/home/dobrin> cd //matilda/dist
> > > > > > > //matilda/dist: Permission denied.
> > > > > > >
> > > > > > > BUT, If I force a passwd entry:
> > > > > > >
> > > > > > > dobrin@THEODOLITE:/home/dobrin> rsh gable3 -l poo
> > > > > > > Password:
> > > > > > > Login incorrect
> > > > > > > login: dobrin
> > > > > > > Password:
> > > > > > > Fanfare!!!
> > > > > > > ...........
> > > > > > > dobrin@GABLE3:/home/dobrin> echo $CYGWIN
> > > > > > > ntea nontsec smbntsec
> > > > > > > dobrin@GABLE3:/home/dobrin> cd //matilda/dist
> > > > > > > dobrin@GABLE3:/matilda/dist>
> > > > > > >
> > > > > > >
> > > > > > > Unfortunately I don't really think of this as a good solution,
> > > > > > > and it doesn't appear to work with my default $CYGWIN setup.
> > > > > > > Does this help at all?
> > > > > > > Thanks,
> > > > > > > Bruce
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > From: "Larry Hall" <cygwin@cygwin.com>
> > > > > > > To: "Bruce Dobrin" <dobrin@imageworks.com>
> > > > > > > Cc: <cygwin@cygwin.com>
> > > > > > > Sent: Thursday, May 29, 2003 7:14 PM
> > > > > > > Subject: Re: NTsec permissions issue over inet
> > > > > > >
> > > > > > >
> > > > > > > > Bruce Dobrin wrote:
> > > > > > > > > Here are the Cygcheck, and Group files, I'll include the
> > > > > > > > > my (typical) passwd entry as we have a ( legitimate)
> > > > > > > > > policy against publishing our login id's ( I know it
> > > > > > > > > doesn't include encrypted passwd's, but with 650 entries,
> > > > > > > > > but I'd like to reduce the fodder for someone's foreach
> > > > > > > > > loop thru a cracking program).
> > > > > > > > >
> > > > > > > > > representative passwd entries:
> > > > > > > > >
> > > > > > > > > SYSTEM:*:18:544:,S-1-5-18::
> > > > > > > > > Administrators:*:544:544:,S-1-5-32-544::
> > > > > > > > >
dobrin:unused_by_nt/2000/xp:11014:10512:Brucester,U-PRODUCTION\dobrin,S-1-5-
21-501104424-1911818820-14498641-1014:/home/dobrin:/bin/bash
> > > > > > > > >
> > > > > > > > > Thanks
> > > > > > > > > Bruce Dobrin
> > > > > > > >
> > > > > > > >
> > > > > > > > Partial passwd entries is fine. What you provided is
adequate.
> > > > > > > >
> > > > > > > > The basics look OK. I find two things in common between
> > > > > > > > your information and Steve's:
> > > > > > > >
> > > > > > > > 1. You both appear to have a strange entry in your path.
I'm
> > > > > > > > not sure if it's some weird artifact of cygcheck or if
it's
> > > > > > > > actually in the path. In yours, you have a directory
that
> > > > > > > > looks like this:
> > > > > > > >
> > > > > > > > "c
> > > > > > > > C:\cygwin\program_files\diskaccess\bin"
> > > > > > > >
> > > > > > > > Steve's is just "c".
> > > > > > > >
> > > > > > > > 2. You both have a carriage return as the last character
in
> > > > > > > > either your passwd or group files.
> > > > > > > >
> > > > > > > > Neither of these are clearly related to this issue but
> > > > > > > > should be investigated and cleaned up. Also, neither of you
> > > > > > > > set 'smbntsec' in your CYGWIN environment variable (before
> > > > > > > > starting Cygwin or any of it's services). Please do, just
> > > > > > > > so we can rule this out as an issue. Also, since you both
> > > > > > > > claim that this used to work, please try removing 'ntsec'
> > > > > > > > and 'smbntsec' and/or adding 'nontsec' to your CYGWIN
> > > > > > > > environment variable (before starting Cygwin or any of it's
> > > > > > > > services). This should help pinpoint whether turning
> > > > > > > > 'ntsec' on by default in recent releases has any bearing.
>
> --
> http://cs.nyu.edu/~pechtcha/
> |\ _,,,---,,_ pechtcha@cs.nyu.edu
> ZZZzz /,`.-'`' -. ;-;;,_ igor@watson.ibm.com
> |,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski
> '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
>
> "I have since come to realize that being between your mentor and his route
> to the bathroom is a major career booster." -- Patrick Naughton
>
>
> --
> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
> Problem reports: http://cygwin.com/problems.html
> Documentation: http://cygwin.com/docs.html
> FAQ: http://cygwin.com/faq/
>
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/