Unable to run sshd under a domain sshd_server account [SOLVED]
Igor Peshansky
pechtcha@cs.nyu.edu
Mon May 12 22:32:00 GMT 2008
On Mon, 12 May 2008, Schutter, Thomas A. wrote:
> > -----Original Message-----
> > From: Schutter, Thomas A.
> > Sent: Monday, May 12, 2008 9:52 AM
> > To: 'cygwin@XXXXXX.XXX'
<http://cygwin.com/acronyms/#PCYMTNQREAIYR>.
> > Subject: Unable to run sshd under a domain sshd_server account
> >
> > I am having problems setting up sshd to run under a domain sshd_server
> > account instead of a local sshd_server account.
> > [snip]
> > But when I login via ssh:
> > $ echo $USER
> > tschutter
> > $ echo $USERNAME
> > sshd_server
Yes -- Windows does not understand user impersonation and does not allow
real user switching. So what sshd does is invoke processes with the
appropriate token privileges for the user it's impersonating, while
updating internal Cygwin data structures, but still running as
sshd_server. So Cygwin sees the right user (in its internal state), but
Windows processes, of course, don't.
> > The application event log has this error message:
> > The description for Event ID ( 0 ) in Source ( sshd ) cannot be
> > found. The local computer may not have the necessary registry
> > information or message DLL files to display messages from a remote
> > computer. You may be able to use the /AUXSOURCE= flag to retrieve this
> > description; see Help and Support for details. The following
> > information is part of the event: sshd: PID 2068: service `sshd'
> > failed: signal 11 raised.
Oops -- a segfault. This is definitely a bug somewhere -- no matter what,
sshd should not segfault.
> First, I am sorry that I broke the original thread. I was not
> subscribed to the list when I made the first post, so I was unable to
> reply to that thread.
There is a way to do this with the help of the archives. I've posted the
recipe multiple times -- you should be able to find it in the archives.
> I solved the problem. I had missed the /var/log files when changing
> ownership to the new domain sshd_server account. The chown command
> above should be:
> chown fdsv-sa-prx-sshdsrvr /etc/ssh* /var/empty /var/log/lastlog
> /var/log/sshd.log
>
> Now the sshd server starts, and when I login my id is correct, and I can
> view shares:
> $ echo $USERDOMAIN
> FLOODDATA
> $ id
> uid=18718(tschutter) gid=10513(Domain Users)
> groups=544(Administrators),545(Users),10513(Domain
> Users),18169(FDSV-GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins)
> $ ls //other/f$
> Data RECYCLER System\ Volume\ Information
>
> Note that my USERNAME is still wrong:
> $ echo $USERNAME
> fdsv-sa-prx-sshdsrvr
See above.
> Although this method of creating and using a domain sshd_server account
> is not one of the recommended workarounds, it appears to work.
>
> In the other thread, Larry Hall pointed me to the FAQ
> http://cygwin.com/faq/faq-nochunks.html#faq.using.shares. One of the
> suggestions was to "provide your password to a net use command". I was
> unable to make that work, because "net use" never asks for my password:
> $ net use \\other\f$
> System error 67 has occurred.
>
> The network name cannot be found.
See "net help use":
The syntax of this command is:
NET USE
[devicename | *] [\\computername\sharename[\volume] [password | *]]
...
password Is the password needed to access the shared resource.
* Produces a prompt for the password. The password is
not displayed when you type it at the password prompt.
So, you need to type "net use '\\other\f$' \*" (note the escaped/quoted
'*'), and it'll prompt you for the password.
> As Larry Hall pointed out in the other thread, the cyglsa dll should
> solve this problem and I look forward to trying it out when 1.7.x is
> available. I am not ready to jump to snapshots at this time.
HTH,
Igor
--
http://cs.nyu.edu/~pechtcha/
|\ _,,,---,,_ pechtcha@cs.nyu.edu | igor@watson.ibm.com
ZZZzz /,`.-'`' -. ;-;;,_ Igor Peshansky, Ph.D. (name changed!)
|,4- ) )-,_. ,\ ( `'-' old name: Igor Pechtchanski
'---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
"That which is hateful to you, do not do to your neighbor. That is the whole
Torah; the rest is commentary. Go and study it." -- Rabbi Hillel
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
More information about the Cygwin
mailing list