sshd on WinXP machine in Win2003 Domain -- can't log in

Mike Hanby flakrat@swbell.net
Wed Mar 31 01:47:00 GMT 2004 

Problem solved, w00t

Here's the odd thing, I had set the appropriate policies on the domain
controller (or at least I thought I had), however when I ran:
secpol.msc on my XP system (the machine that I want to SSH into), only "Log
on as Service" policy was propogated from the domain controller.

So, I tried to run:  dompol.msc
I got a Windows Error claiming that I didn't have permissions (even though I
was logged in as Administrator), turns out this is a known issue on Windows
2003 (maybe 2000 also)

I launched dompol.msc via the shortcut at Administrator Tools and click
"Domain Security Policy"
Just as I saw in the secpol.msc on the XP box, the only policy the sshd_user
had was "Log on as Service"
I added him to:
    "Adjust memory quotas for a process"
    "Create a token object"
    "Deny log on locally"
    "Log on as a service"
    "Replace a process level token"

I then went back to the XP machine and ran from the command prompt:
C:\> gpupdate

I then checked secpol.msc and now all of the policies for sshd_user have
propigated over.
Now it works.

Before I thought I'd done the same thing, but I must have modified the
policies using the wrong tool...?

Thanks for all the help.

Mike



"Yuen Wing Seung" <wsyuen@cluster-tech.com> wrote in message
news:4063F2E0.4060105@cluster-tech.com...
> I also got the same problem. but I am work for the Adminstrator.
> which is a local user. Others Domain users got the Permission
> Denied after checking the password.
>
> All others Domain Users can open the CYGWIN bash shell properly
> on the Window console, however ssh to the server is not work.
>
>
> MIke Hanby wrote:
> > crum, nope, can't maintane the connection with a local user either.
> > I get the same Permission Denied after logging in.
> >
> > All of this worked before I joined this machine to the Windows 2003
Active
> > Directory domain, so it's got to be related, but beyond setting those
Local
> > Policies on the Domain controller, I don't know what else to try.
> >
> > "Igor Pechtchanski" <pechtcha@cs.nyu.edu> wrote in message
> > news:Pine.GSO.4.56.0403212327080.26885@slinky.cs.nyu.edu...
> > Hmm, really weird...  I'm officially out of ideas.  Does it work if you
> > try to log in as a local user (i.e., not a domain one)?
> >
> > As for /dev, see <http://cygwin.com/ml/cygwin/2004-03/msg01009.html>.
> > HTH,
> > Igor
> >
> > On Sun, 21 Mar 2004, MIke Hanby wrote:
> >
> >
> >>stupid Symantec products, thanks for pointing that out
> >>my home directory is physically located in:
> >>  C:\Documents and Settings\joeshmo.WIN2003DOMAIN
> >>I've created a link for /home to point to /cygdrive/c/Docume~1
> >>  lrwxrwxrwx    1 11107    10513         111 Mar 20 15:59 /home ->
> >
> > /cygdrive/c/Docume~1/
> >
> >>I've created another link to make my home directory more user friendly
> >>  lrwxrwxrwx    1 11107    10513         114 Mar 18 00:58
/home/joeshmo ->
> >
> > ./joeshmo.WIN2003DOMAIN/
> >
> >>User ID 11107 is the id for joeshmo in the /etc/passwd file
> >>  joeshmo:unused_by_nt/2000/xp:11107:10513:Joe
> >
> >
Shmo,U-WIN2003DOMAIN\joeshmo,S-1-5-21-2516459027-1883439143-603107090-1107:/
> > home/joeshmo:/bin/bash
> >
> >>Now, one thing I've noticed in the -v -v output of the ssh client:
> >>  SSH_TTY=/dev/tty1
> >>/bin/bash: Permission denied
> >>
> >>/dev doesn't exist, is this a problem?
> >>
> >>Thanks,
> >>Mike
> >>
> >>"Igor Pechtchanski" <pechtcha@cs.nyu.edu> wrote in message
> >>news:Pine.GSO.4.56.0403212114010.26885@slinky.cs.nyu.edu...
> >>Mike,
> >>
> >>Thanks.  First off (unrelated, but annoying): Norton Ghost screwed up
your
> >>path -- you should remove the quotes around
> >>"C:\Program Files\Symantec\Norton Ghost 2003\" in the PATH variable.
> >>Other than that, everything in your cygcheck output seems in order.  The
> >>only other thing I can think of at the moment is: is the home directory
of
> >>joeshmo readable by that user?  Can you please run "ls -ln" on joeshmo's
> >>home directory?  Oh, and do you realize that what sshd thinks the home
> >>directory is and what $HOME is set to don't match?
> >>Igor
> >>
> >>On Sun, 21 Mar 2004, MIke Hanby wrote:
> >>
> >>
> >>>Ok, here's the version information:
> >>>  Cygwin:  CYGWIN_NT-5.1 xphost 1.5.8(0.112/4/2) 2004-03-16 00:19 i686
> >>
> > unknown unknown Cygwin
> >
> >>>  ssh:         OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30
> >>
> > Sep 2003
> >
> >>>  sshd:       sshd version OpenSSH_3.8p1, OpenSSL 0.9.7c 30 Sep 2003
> >>>  OS running sshd:  Windows XP Pro
> >>>  Domain Controller OS:  Windows 2003 Server
> >>>
> >>>I started sshd service with the "-d -d" double verbose debug output
> >>>and ssh client with "-v -v" double verbose output.
> >>>
> >>>I've attached the ssh client, sshd service and cygcheck.out log files.
> >>>I tried adding +rx to directory /bin, got the same "Permission Denied"
> >>>error.
> >>>I'm not putting the output in the message as it's quite long.
> >>>
> >>>Thanks for any help,
> >>>
> >>>Mike
> >>>
> >>>
> >>>Igor Pechtchanski wrote:
> >>>On Sun, 21 Mar 2004, MIke Hanby wrote:
> >>>
> >>>
> >>>>Hey y'all, (sorry if this double posts)
> >>>>
> >>>>System:  Windows XP Pro with brand new install of cygwin running sshd.
> >>>>This system is a member of a Widnows 2003 Active Directory domain.
> >>>>
> >>>>Problem:  I've gone through the config steps listed below and unable
> >>>>to connect to my sshd server.  On the sshd server, from the cygwin
> >>>>prompt I enter the following:
> >>>>    $ ssh -p 3020 localhost
> >>>>    joeshmo@localhost's password:
> >>>>    Last login: Sat Mar 20 16:01:17 2004 from localhost
> >>>>    Fanfare!!!
> >>>>    You are successfully logged in to this server!!!
> >>>>    /bin/bash: Permission denied
> >>>>    Connection to localhost closed.
> >>>>
> >>>>Permissions on /bin/bash were -rwxr-x---+, I tried adding +rx, still
> >>>>get the same error
> >>>>    -rwxr-xr-x+   1 joeshmo  Users      527360 Oct 20 07:12 /bin/bash*
> >>>>
> >>>>Here's what I did to configure sshd
> >>>>1.  Installed Cygwin with packages that I downloaded today while
> >>>
> > logged in
> >
> >>>>    as my Active Directory user, joeshmo
> >>>>2.  Created a new Active Directory user, addomain\sshdproc, and added
> >>>
> > the
> >
> >>>>    following rights using the Windows 2003 Server Local Security
> >>>
> > Policy
> >
> >>>>        Create a token object
> >>>>        Log on as a service
> >>>>        Replcae a process level token
> >>>>        Adjust memory quotas for a process
> >>>>3.  Added sshd as a service on the Windows XP Pro machine, it is set
> >>>
> > to
> >
> >>>>    start as the user addomain\sshdproc
> >>>>4.  Ran ssh-host-config and answered YES to all questions, including
> >>>>    "privilege separation"
> >>>>5.  Ran the following on the Windows XP machine
> >>>>     mkpasswd -l -d > /etc/passwd
> >>>>     mkgroup -l -d > /etc/group
> >>>>6. changed permissions on the following files
> >>>>     touch /var/log/sshd.log
> >>>>     chmod 644 /var/log/sshd.log
> >>>>     chown sshdproc /var/empty /var/log/sshd.log /etc/ssh_*
> >>>>7.  Start sshd
> >>>>     cygrunsrv --start sshd
> >>>>
> >>>>I then get the error above, /bin/bash: Permission denied
> >>>>Any idea what file(s) it might be referring to?
> >>>>Any ideas on what else I can do?
> >>>>
> >>>>Thanks in advance,
> >>>>Mike
> >>>
> >>>Without the requisite information requested in the Cygwin problem
> >>>reporting guidelines at <http://cygwin.com/problems.html> we can only
> >>>guess, but, since you had to change the permissions on /bin/bash, I'd
> >>>guess that you'll need to change the permissions on at least /bin as
> >>
> > well.
> >
> >>>Also, try running sshd and ssh with a few -v flags (multiple -v's
> >>
> > increase
> >
> >>>the verbosity level)...
> >>>Igor
> >>
> >
>
>
>




--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

More information about the Cygwin mailing list