This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
- From: Charles Wilson <cygwin at cwilson dot fastmail dot fm>
- To: cygwin at cygwin dot com
- Date: Sat, 19 Jul 2008 12:51:43 -0400
- Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
- References: <3B3EFBD49B94AD4DBB7B7097257A8046DD020D@FDSVAST06SXCH01.flooddata.net> <Pine.GSO.4.63.0805121820090.11953@access1.cims.nyu.edu> <20080513073720.GA22193@calimero.vinschen.de> <3B3EFBD49B94AD4DBB7B7097257A8046DD02FC@FDSVAST06SXCH01.flooddata.net> <20080616210105.GI731@calimero.vinschen.de> <20080616211352.GK731@calimero.vinschen.de>
Corinna Vinschen wrote:
Oh, btw., Charles, that's one for you.
On Jun 16 23:01, Corinna Vinschen wrote:
On May 13 11:09, Schutter, Thomas A. wrote:
The problem was that the domain sshd_server account has no right to
access the domain controller from the network. Solution: Open the Local
Security Policy of the DC and look for the User Right "Deny access to
this computer from the network". You'll find your sshd_server user in
there. Remove it from this user right. Try again:
This user right shouldn't be set anymore in the
csih/cygwin-service-installation-helper.sh script. Patch follows:
* Don't disallow network logon for service user account.
Here's the patch I applied, for csih-0.1.5:
--
Chuck
diff -u -r1.7 -r1.8
--- cygwin-service-installation-helper.sh 14 Apr 2008 18:36:05 -0000 1.7
+++ cygwin-service-installation-helper.sh 19 Jul 2008 16:40:31 -0000 1.8
@@ -1636,14 +1636,13 @@
# user not in Administrators group
return 1
else
- editrights -l -u "${user}" | fgrep SeAssignPrimaryTokenPrivilege >/dev/null 2>&1 &&
- editrights -l -u "${user}" | fgrep SeCreateTokenPrivilege >/dev/null 2>&1 &&
- editrights -l -u "${user}" | fgrep SeTcbPrivilege >/dev/null 2>&1 &&
- editrights -l -u "${user}" | fgrep SeDenyInteractiveLogonRight >/dev/null 2>&1 &&
- editrights -l -u "${user}" | fgrep SeDenyNetworkLogonRight >/dev/null 2>&1 &&
- editrights -l -u "${user}" | fgrep SeDenyRemoteInteractiveLogonRight >/dev/null 2>&1 &&
- editrights -l -u "${user}" | fgrep SeIncreaseQuotaPrivilege >/dev/null 2>&1 &&
- editrights -l -u "${user}" | fgrep SeServiceLogonRight >/dev/null 2>&1
+ editrights -u "${user}" -t SeAssignPrimaryTokenPrivilege >/dev/null 2>&1 &&
+ editrights -u "${user}" -t SeCreateTokenPrivilege >/dev/null 2>&1 &&
+ editrights -u "${user}" -t SeTcbPrivilege >/dev/null 2>&1 &&
+ editrights -u "${user}" -t SeDenyInteractiveLogonRight >/dev/null 2>&1 &&
+ editrights -u "${user}" -t SeDenyRemoteInteractiveLogonRight >/dev/null 2>&1 &&
+ editrights -u "${user}" -t SeIncreaseQuotaPrivilege >/dev/null 2>&1 &&
+ editrights -u "${user}" -t SeServiceLogonRight >/dev/null 2>&1
return # status of previous command-list
fi
fi
@@ -2106,7 +2105,6 @@
editrights -a SeCreateTokenPrivilege -u ${username} &&
editrights -a SeTcbPrivilege -u ${username} &&
editrights -a SeDenyInteractiveLogonRight -u ${username} &&
- editrights -a SeDenyNetworkLogonRight -u ${username} &&
editrights -a SeDenyRemoteInteractiveLogonRight -u ${username} &&
editrights -a SeIncreaseQuotaPrivilege -u ${username} &&
editrights -a SeServiceLogonRight -u ${username} &&
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/