[1.7] sshd dc problem

Corinna Vinschen corinna-cygwin@cygwin.com
Wed Jun 24 11:48:00 GMT 2009


On Jun 24 10:45, Reini Urban wrote:
> 2009/6/23 Corinna Vinschen:
> > On Jun 22 17:48, Reini Urban wrote:
> >> I should be able to login with pubkey to my box with sshd when windows
> >> lets me in also.
> >
> > That's easier said than done.
> >
> > Apparently your laptop is configured to allow using cached credentials
> > which are used by the machine if it can't connect to a DC.  The token
> > information (groups/privileges) is also cached somewhere in a
> > non-documented storage.  Whatever Windows is using, it's not accessible
> > for Cygwin.  At least I don't know how to do it.
> 
> Is it possible to detect that one is logged in with a cached
> credential at least?

I don't know.  I don't think so.  And even then there's the problem that
more than one user session can be active, so you would have to find the
right one first.

Hmm.

Come to think of it, what Cygwin could try starting with Windows XP
is to use Terminal Service functions to see if the user is already
logged in, and if so, use that user's token for the setuid call.
I never tried that before, so I don't know if that works as desired.
Anyway, that's something to try for a later version of Cygwin.

> Then the failing initgroups DcGetDcName(PDC_REQUIRED) can be made non-fatal.
> Or maybe there's a PDC_OPTIONAL

I'm not requiring the PDC, at least post-NT4.  The function calls
DsGetDcNameW asking for any DC.  If that fails, it just tries it again
with the DS_FORCE_REDISCOVERY flag.

> > So, for the time being, the workaround to get a user token is thus:
> >
> > 1. I'll patch Cygwin to ignore the fact that the group information
> >   couldn't be fetched from the server.
> 
> Great!
> 
> > 2. Either you're happy with a restricted token,
> 
> Restricted token is okay for me.

It's *very* restricted.  It only contains the barest groups, plus
"Users" and your primary domain group as set in /etc/passwd.  If you
need more supplementary groups, you have to add yourself to the
respective /etc/group entries.

> 
> >  or you use the new logon
> >   method 3 as described in
> >   http://cygwin.com/1.7/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
> >   This results in getting a token right from Windows based on the
> >   cached credentials.
> 
> I'll try password auth then, thanks

Using password auth doesn't solve the initgroups problem, unfortunately.
You'll still need the aforementioned patch to Cygwin.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list