Unable to run sshd under a domain sshd_server account [SOLVED]

Schutter, Thomas A. tschutter@proxix.com
Mon May 12 21:32:00 GMT 2008


> -----Original Message-----
> From: Schutter, Thomas A.
> Sent: Monday, May 12, 2008 9:52 AM
> To: 'cygwin@cygwin.com'
> Subject: Unable to run sshd under a domain sshd_server account
> 
> I am having problems setting up sshd to run under a domain sshd_server
> account instead of a local sshd_server account.
> 
> Why do I want to do that?  Because in the default install, starting a
> cygwin shell from the console gives me a much different environment
and
> permissions than if I start a cygwin shell via ssh.  For example, from
> a console shell on the Windows 2003 Server:
>   $ echo $USER
>   tschutter
>   $ echo $USERNAME
>   tschutter
>   $ echo $HOSTNAME
>   fdsvbld01sgrape
>   $ echo $USERDOMAIN
>   FLOODDATA
>   $ id
>   uid=18718(tschutter) gid=10513(Domain Users)
> groups=544(Administrators),545(Users),10513(Domain Users),18169(FDSV-
> GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins)
>   $ ls //other/f$
>   Data          RECYCLER        System\ Volume\ Information
> 
> But when I login via ssh:
>   $ echo $USER
>   tschutter
>   $ echo $USERNAME
>   sshd_server
>   $ echo $HOSTNAME
>   fdsvbld01sgrape
>   $ echo $USERDOMAIN
>   FDSVBLD01SGRAPE
>   $ id
>   uid=18718(tschutter) gid=10513(Domain Users)
> groups=545(Users),10513(Domain Users)
>   $ ls //other/f$
>   ls: cannot access //other/f$: Permission denied
> 
> The sshd server was setup using "ssh-host-config --yes". So it appears
> that when I login via ssh, I am logged in as a local user, not a
domain
> user.  Also, when logged in via ssh, I am not in the Administrators,
> FDSV-GG-PrxBLD, and FDSV-GG-PrxPCAdmins groups.  As a side note, I
> would think that USERNAME being set to sshd_server is a bug.
> 
> It appears that the solution is to create a domain sshd_server account
> and run sshd as that user.  So I created a domain account called
"fdsv-
> sa-prx-sshdsrvr".  I gave this account the required rights:
>   $ editrights -a SeCreateTokenPrivilege -u fdsv-sa-prx-sshdsrvr
>   $ editrights -a SeTcbPrivilege -u fdsv-sa-prx-sshdsrvr
>   $ editrights -a SeDenyInteractiveLogonRight -u fdsv-sa-prx-sshdsrvr
>   $ editrights -a SeDenyNetworkLogonRight -u fdsv-sa-prx-sshdsrvr
>   $ editrights -a SeDenyRemoteInteractiveLogonRight -u fdsv-sa-prx-
> sshdsrvr
>   $ editrights -a SeIncreaseQuotaPrivilege -u fdsv-sa-prx-sshdsrvr
>   $ editrights -a SeServiceLogonRight -u fdsv-sa-prx-sshdsrvr
> 
> I added fdsv-sa-prx-sshdsrvr to local "Administrators" group.
> 
> I changed the ownership of the /etc/ssh files and /var/empty:
>   $ chown fdsv-sa-prx-sshdsrvr /etc/ssh* /var/empty
> 
> I changed the log on account for the "CYGWIN sshd" service to the
fdsv-
> sa-prx-sshdsrvr account.
> 
> I then tried to start the service:
>   $ net start sshd
>   The CYGWIN sshd service is starting.
>   The CYGWIN sshd service could not be started.
> 
>   The service did not report an error.
> 
>   More help is available by typing NET HELPMSG 3534.
> 
> The application event log has this error message:
>   The description for Event ID ( 0 ) in Source ( sshd ) cannot be
> found. The local computer may not have the necessary registry
> information or message DLL files to display messages from a remote
> computer. You may be able to use the /AUXSOURCE= flag to retrieve this
> description; see Help and Support for details. The following
> information is part of the event: sshd: PID 2068: service `sshd'
> failed: signal 11 raised.
> 
> I have attached the output from "cygcheck -s -v -r" as grape-
> cygcheck.out.
> 
> So where do I go from here?  What am I missing?

First, I am sorry that I broke the original thread.  I was not
subscribed to the list when I made the first post, so I was unable to
reply to that thread.

I solved the problem.  I had missed the /var/log files when changing
ownership to the new domain sshd_server account.  The chown command
above should be:
  chown fdsv-sa-prx-sshdsrvr /etc/ssh* /var/empty /var/log/lastlog
/var/log/sshd.log

Now the sshd server starts, and when I login my id is correct, and I can
view shares:
  $ echo $USERDOMAIN
  FLOODDATA
  $ id
  uid=18718(tschutter) gid=10513(Domain Users)
groups=544(Administrators),545(Users),10513(Domain
Users),18169(FDSV-GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins)
  $ ls //other/f$
  Data          RECYCLER        System\ Volume\ Information

Note that my USERNAME is still wrong:
  $ echo $USERNAME
  fdsv-sa-prx-sshdsrvr

Although this method of creating and using a domain sshd_server account
is not one of the recommended workarounds, it appears to work.

In the other thread, Larry Hall pointed me to the FAQ
http://cygwin.com/faq/faq-nochunks.html#faq.using.shares. One of the
suggestions was to "provide your password to a net use command".  I was
unable to make that work, because "net use" never asks for my password:
  $ net use \\other\f$
  System error 67 has occurred.

  The network name cannot be found.

As Larry Hall pointed out in the other thread, the cyglsa dll should
solve this problem and I look forward to trying it out when 1.7.x is
available.  I am not ready to jump to snapshots at this time.

--
Tom Schutter
First American - Proxix Solutions
(512) 977-6822


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/



More information about the Cygwin mailing list