Shared home dir, samba workgroups and ssh

Andrew DeFaria Andrew@DeFaria.com
Wed Oct 18 04:50:00 GMT 2006 

Andrew DeFaria wrote:
> Here's the story. I use Cygwin on my XP desktop. I like having a home 
> directory on Windows that is the same home directory on Unix/Linux 
> machines. Often companies offer access to your Unix/Linux home 
> directory via Samba. Also, often companies do not bother to set up a 
> Samba server wish participates in a domain, so the Samba server is 
> configured as being in a workgroup.
>
> Now for a long time I struggled with this. I would map //<samba 
> server>/<home share> -> my H drive then mount the H drive as /home and 
> make sure my Cygwin /etc/password referred to my home directory of 
> /home/$USER. All is great.
>
> But when dealing with Samba servers who are configured into workgroups 
> innocuous activities in Cygwin would elicit permission denied 
> messages. For example, touching a file in the home directory and 
> indeed even vi'ing a file, etc. Creating a file within Windows 
> Explorer or using other Windows oriented tools would work just fine. 
> Files created on the Unix/Linux side would also work fine but when 
> looked at from Cygwin on the PC would have odd (read "nobody") 
> ownerships and permissions.
>
> Of course as Cygwin is often not supported by the typical company's IT 
> department and because many people do not attempt to utilize Cygwin 
> fully often requests for assistance and change fell on deaf ears...
>
> Eventually I figured out that my Windows SID in /etc/passwd is the SID 
> of my domain user and since the Samba server was not in the domain my 
> SID does not authenticate properly. Then I had a break through in that 
> I realized that I was using SMBNTSEC as well as NTSEC in my Cygwin 
> environment. I figured "Yeah I want to use the same Windows security 
> for SMB mounted drives too". This is where my problem lies and it's 
> because the Samba server configured by the client does not participate 
> in the Windows domain from which I've logged in.
>
> Now I'm pretty sure that Samba could be configured properly into a 
> Windows domain as Samba can be configured as a PDC or a BDC, but many 
> clients don't bother to go that far. So why is Windows able to deal 
> with this but not Cygwin?
>
> I believe that this is because within Samba a very basic approach is 
> kept towards storing of user identification information. Indeed basic 
> Samba just has an smbpasswd file which is much like your typical 
> Unix/Linux /etc/passwd file and it is not designed to carry extra 
> information about users and machine accounts as well as multiple 
> groups and trust associations, etc. Even Samba documents talks about 
> hooking Samba up to either LDAP or what they call a Trivial DataBase 
> (TDB) in order to store such additional Windows only information.
>
> So I thought the simple solution was to remove SMBNTSEC from my Cygwin 
> environment and all would be fine. And indeed it is! Well almost...
>
> Along comes ssh... So I like to use ssh to log into various Unix/Linux 
> systems as I work. And again I share my home directory between Windows 
> and Unix/Linux. Finally I like setting up passwordless public key ssh 
> login as I'm not one of those who likes having to type in his password 
> hundreds of times a day. But ssh's is picky about permissions of your 
> ~/.ssh and ~/.ssh/id_<type> key files. When ssh'ing from Cygwin to a 
> Unix/Linux box I am now receiving the following:
>
>    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>    @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
>    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>    Permissions 0644 for '/home/x0062320/.ssh/id_rsa' are too open.
>    It is recommended that your private key files are NOT accessible by
>    others.
>    This private key will be ignored.
>    bad permissions: ignore key: /home/x0062320/.ssh/id_rsa
>    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>    @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
>    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>    Permissions 0644 for '/home/x0062320/.ssh/id_dsa' are too open.
>    It is recommended that your private key files are NOT accessible by
>    others.
>    This private key will be ignored.
>    bad permissions: ignore key: /home/x0062320/.ssh/id_dsa
>    x0062320@stashu's password:
>
> And, of course, I need to type in my password again! What I believe is 
> happening is that because my home directory is SMB mounted and 
> SMBNTSEC is off then Cygwin reports that files like ~/.ssh/id_rsa are 
> 0644 even if I change them on Unix/Linux to 0600. So, for example:
>
>    <unix box>$ ls -l ~/.ssh/id_rsa
>    -rw-------  1 x0062320 generic 887 Aug 31 16:43
>    /home/x0062320/.ssh/id_rsa
>
> While:
>
>    <cygwin>$ ls -l ~/.ssh/id_rsa
>    -rw-r--r-- 1 x0062320 Domain Users 887 Aug 31 16:43
>    /home/x0062320/.ssh/id_rsa
>
> Is there any way to work around this problem (short of reconfiguring 
> the Samba server)?
Anybody care to venture a guess here? Is my suspicions about SMBNTSEC 
correct?


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

More information about the Cygwin mailing list