Unable to run sshd under a domain sshd_server account [SOLVED]
Schutter, Thomas A.
tschutter@proxix.com
Mon May 12 21:32:00 GMT 2008
> -----Original Message-----
> From: Schutter, Thomas A.
> Sent: Monday, May 12, 2008 9:52 AM
> To: 'cygwin@cygwin.com'
> Subject: Unable to run sshd under a domain sshd_server account
>
> I am having problems setting up sshd to run under a domain sshd_server
> account instead of a local sshd_server account.
>
> Why do I want to do that? Because in the default install, starting a
> cygwin shell from the console gives me a much different environment
and
> permissions than if I start a cygwin shell via ssh. For example, from
> a console shell on the Windows 2003 Server:
> $ echo $USER
> tschutter
> $ echo $USERNAME
> tschutter
> $ echo $HOSTNAME
> fdsvbld01sgrape
> $ echo $USERDOMAIN
> FLOODDATA
> $ id
> uid=18718(tschutter) gid=10513(Domain Users)
> groups=544(Administrators),545(Users),10513(Domain Users),18169(FDSV-
> GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins)
> $ ls //other/f$
> Data RECYCLER System\ Volume\ Information
>
> But when I login via ssh:
> $ echo $USER
> tschutter
> $ echo $USERNAME
> sshd_server
> $ echo $HOSTNAME
> fdsvbld01sgrape
> $ echo $USERDOMAIN
> FDSVBLD01SGRAPE
> $ id
> uid=18718(tschutter) gid=10513(Domain Users)
> groups=545(Users),10513(Domain Users)
> $ ls //other/f$
> ls: cannot access //other/f$: Permission denied
>
> The sshd server was setup using "ssh-host-config --yes". So it appears
> that when I login via ssh, I am logged in as a local user, not a
domain
> user. Also, when logged in via ssh, I am not in the Administrators,
> FDSV-GG-PrxBLD, and FDSV-GG-PrxPCAdmins groups. As a side note, I
> would think that USERNAME being set to sshd_server is a bug.
>
> It appears that the solution is to create a domain sshd_server account
> and run sshd as that user. So I created a domain account called
"fdsv-
> sa-prx-sshdsrvr". I gave this account the required rights:
> $ editrights -a SeCreateTokenPrivilege -u fdsv-sa-prx-sshdsrvr
> $ editrights -a SeTcbPrivilege -u fdsv-sa-prx-sshdsrvr
> $ editrights -a SeDenyInteractiveLogonRight -u fdsv-sa-prx-sshdsrvr
> $ editrights -a SeDenyNetworkLogonRight -u fdsv-sa-prx-sshdsrvr
> $ editrights -a SeDenyRemoteInteractiveLogonRight -u fdsv-sa-prx-
> sshdsrvr
> $ editrights -a SeIncreaseQuotaPrivilege -u fdsv-sa-prx-sshdsrvr
> $ editrights -a SeServiceLogonRight -u fdsv-sa-prx-sshdsrvr
>
> I added fdsv-sa-prx-sshdsrvr to local "Administrators" group.
>
> I changed the ownership of the /etc/ssh files and /var/empty:
> $ chown fdsv-sa-prx-sshdsrvr /etc/ssh* /var/empty
>
> I changed the log on account for the "CYGWIN sshd" service to the
fdsv-
> sa-prx-sshdsrvr account.
>
> I then tried to start the service:
> $ net start sshd
> The CYGWIN sshd service is starting.
> The CYGWIN sshd service could not be started.
>
> The service did not report an error.
>
> More help is available by typing NET HELPMSG 3534.
>
> The application event log has this error message:
> The description for Event ID ( 0 ) in Source ( sshd ) cannot be
> found. The local computer may not have the necessary registry
> information or message DLL files to display messages from a remote
> computer. You may be able to use the /AUXSOURCE= flag to retrieve this
> description; see Help and Support for details. The following
> information is part of the event: sshd: PID 2068: service `sshd'
> failed: signal 11 raised.
>
> I have attached the output from "cygcheck -s -v -r" as grape-
> cygcheck.out.
>
> So where do I go from here? What am I missing?
First, I am sorry that I broke the original thread. I was not
subscribed to the list when I made the first post, so I was unable to
reply to that thread.
I solved the problem. I had missed the /var/log files when changing
ownership to the new domain sshd_server account. The chown command
above should be:
chown fdsv-sa-prx-sshdsrvr /etc/ssh* /var/empty /var/log/lastlog
/var/log/sshd.log
Now the sshd server starts, and when I login my id is correct, and I can
view shares:
$ echo $USERDOMAIN
FLOODDATA
$ id
uid=18718(tschutter) gid=10513(Domain Users)
groups=544(Administrators),545(Users),10513(Domain
Users),18169(FDSV-GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins)
$ ls //other/f$
Data RECYCLER System\ Volume\ Information
Note that my USERNAME is still wrong:
$ echo $USERNAME
fdsv-sa-prx-sshdsrvr
Although this method of creating and using a domain sshd_server account
is not one of the recommended workarounds, it appears to work.
In the other thread, Larry Hall pointed me to the FAQ
http://cygwin.com/faq/faq-nochunks.html#faq.using.shares. One of the
suggestions was to "provide your password to a net use command". I was
unable to make that work, because "net use" never asks for my password:
$ net use \\other\f$
System error 67 has occurred.
The network name cannot be found.
As Larry Hall pointed out in the other thread, the cyglsa dll should
solve this problem and I look forward to trying it out when 1.7.x is
available. I am not ready to jump to snapshots at this time.
--
Tom Schutter
First American - Proxix Solutions
(512) 977-6822
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
More information about the Cygwin
mailing list