LDAP integration and sshd

Achim Gratz Stromeko@nexgo.de
Fri Jun 27 19:08:00 GMT 2014


Corinna Vinschen writes:
> The Admin group is a BUILTIN group, so it's always +Administrators
> under the default prefixing rule, as outlined in my preliminary
> documentation.

Yeah, I was just trying the other variants out of desperation.

> And it works fine for me with the latest from CVS (== latest snapshot),
> I just tested it.

I'm using the latest snapshot, although the behaviour is the same with
the previous one.

> If I add
>
>   AllowGroups +Administrators
>
> I can still login with my admin account and get a refusal when logging
> in with a non-admin account.
>
> In contrast, If I add
>
>   DenyGroups +Administrators
>
> it's the opposite.

Yes, that's exactly what isn't working.  Even in debug mode the messages
from sshd are not very enlightening, but through experimentation I found
that the only thing that works is +Authenticated* (for Authenticated
Users, obviously).  I don't know what's going on, but it seems that when
the user credentials are resolved by sshd, the domain accounts are
completely inaccessible.  Switching off privilege separation doesn't
seem to make a difference.

> Are you, by any chance, using a non-English OS version?  You know that
> the administrators group has a localized name, right?  In german, for
> instance, it's called Administratoren.

Not that I know of (I didn't install it), it reports as a bog standard
2012R2 server and all local display is in english.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Samples for the Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#BlofeldSamplesExtra

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list