This is the mail archive of the
cygwin@cygwin.com
mailing list for the Cygwin project.
Re: NTsec permissions issue over inet
- From: Igor Pechtchanski <pechtcha at cs dot nyu dot edu>
- To: Bruce Dobrin <dobrin at imageworks dot com>
- Cc: cygwin at cygwin dot com
- Date: Mon, 2 Jun 2003 20:24:13 -0400 (EDT)
- Subject: Re: NTsec permissions issue over inet
- Reply-to: cygwin at cygwin dot com
Umm, Bruce, you aren't trying to access network shares from a session you
did with passwordless authentication, are you? Because if you are, it's
not going to work (see <http://cygwin.com/cygwin-ug-net/ntsec.html#NTSEC-RELEASE1.3.3>).
I've also found that even if you log in through telnet or ssh, you
sometimes need to issue an explicit "net use" command to get access to
network shares... Try that, and see if it helps.
I'm guessing the perl script runs as yourself from a session that
already accessed the share...
Igor
On Mon, 2 Jun 2003, Bruce Dobrin wrote:
> I tried executing a the command via a socket directly: by asigning a script
> via inet.conf, it still gave me permission denied. I turned off
> inetd/xinetd and hacked together a server with perl to exec the same script
> and it had no permission problems. it looks like a problem common to inetd
> and xinetd but not cygwin specifically:
>
> EXAMPLE:
>
> ######(socket 1824 defined in inetd.conf and /etc/services file)
>
> dobrin@THEODOLITE:/home/dobrin>telnet castro 1824
> responds:
> pwd
> /c/WINNT/system32
> ls -al //matilda/setup
> ls: //matilda/setup: No such file or directory
> /c/WINNT/system32/dfscmd.exe /view \\\\dfsmaster\\dfsshare > poop
> cat poop
> System error 1355 has occurred.
> The specified domain either does not exist or could not be contacted.
>
> #######( perl script listening on socket 2345 )
>
> dobrin@THEODOLITE:/home/dobrin>telnet castro 2345
> responds:
> pwd
> /home/dobrin
> ls -al //matilda/setup
> drwxrwxrwx+ 1 Administ Domain A 32768 May 30 18:45 .
> drwxrwxrwx+ 1 Administ Domain A 0 May 8 14:07 2ksrv_image
> drwxrwxrwx+ 1 Administ Domain A 0 Feb 27 20:55 3dmaxupdate
> drwxrwxrwx+ 1 Administ Domain A 0 Mar 26 11:08 ACDSee
> .........
> /c/WINNT/system32/dfscmd.exe /view \\\\dfsmaster\\dfsshare > poop
> cat poop
> \\DFSMASTER\dfsroot
> \\DFSMASTER\dfsroot\shots\vol780
> \\DFSMASTER\dfsroot\pipe\usr_pasquini\trash
> The command completed successfully.
>
>
> ----- Original Message -----
> From: "Bruce Dobrin" <dobrin@imageworks.com>
> To: "Banville, Stephen" <Stephen.Banville@sycamorenet.com>;
> <cygwin@cygwin.com>
> Sent: Monday, June 02, 2003 12:37 PM
> Subject: Re: NTsec permissions issue over inet
>
>
> > hmmm, still experimenting: thought it might have something to do with
> > inetd and mounts, but I also tried rlogin to <localhost> which is
> > running init and xinetd and issueing a dfscmd:
> >
> > dobrin@THEODOLITE:/home/dobrin> dfscmd /view \\\\dfsmaster\\dfsshare
> > \\DFSMASTER\dfsroot
> > \\DFSMASTER\dfsroot\shots\vol780
> > \\DFSMASTER\dfsroot\pipe\usr_pasquini\trash
> > The command completed successfully.
> > dobrin@THEODOLITE:/home/dobrin> rsh localhost
> > Last login: Mon Jun 2 12:30:41 from THEODOLITE.spimageworks.com
> > Fanfare!!!
> > You are successfully logged in to this server!!!
> > dobrin@THEODOLITE:/home/dobrin> dfscmd /view \\\\dfsmaster\\dfsshare
> > System error 5 has occurred.
> >
> > Access is denied.
> >
> > :::: still confused...
> >
> >
> > ----- Original Message -----
> > From: "Banville, Stephen" <Stephen.Banville@sycamorenet.com>
> > To: <cygwin@cygwin.com>; "Stephen Banville" <sbanville@attbi.com>
> > Cc: "'Bruce Dobrin'" <dobrin@imageworks.com>; "Banville, Stephen"
> > <Stephen.Banville@sycamorenet.com>
> > Sent: Monday, June 02, 2003 5:32 AM
> > Subject: RE: NTsec permissions issue over inet
> >
> > > Igor,
> > > I tried settting smbntsec and it did not work. With older version I
> > > used to just set ntsec, make the passwd and group files, and
> > > everything would just work the way I would expect. Something has
> > > changed in the way cygwin handles NT security. I am running a
> > > generic version of windows 2000 with no thrid party filesys drivers.
> > > I don't believe that it's aproblem with my configuration because
> > > older version of Cygwin have worked just fine. As of now all
> > > suggestions have not been successful. It sounds like a new bug has
> > > been introduced surrounding NT security.
> > >
> > > Steve
> > >
> > > -----Original Message-----
> > > From: Igor Pechtchanski [mailto:pechtcha@cs.nyu.edu]
> > > Sent: Sunday, June 01, 2003 7:30 PM
> > > To: Stephen Banville
> > > Cc: 'Bruce Dobrin'; cygwin@cygwin.com; stephen.banville@sycamorenet.com
> > > Subject: RE: NTsec permissions issue over inet
> > >
> > >
> > > Steve,
> > >
> > > On Windows, if you use the Windows sharing mechanism (instead of a
> > > proprietary filesystem driver), your shares are SMB shares (which stands
> > > for Server Message Block, IIRC). The 'smbntsec' option is designed for
> > > those kinds of shares. If you do have a proprietary filesystem driver,
> > > Cygwin most likely doesn't have any support for recognizing the security
> > > attributes on that. <http://cygwin.com/acronyms/#PTC>. It's also
> > > possible that the filesystem driver that you have is partly compatible
> > > with the NTFS or SMB security, and some addition to the Cygwin codebase
> > > to deal better with one or the other has accesses to features that
> > > aren't available on your filesystem, so it stopped working.
> > >
> > > Your login problem has nothing to do with the above. Unlike Linux, where
> > > anyone can run "su" or "login", Windows NT variants require the user to
> > > have extra privileges to be able to switch user context (create an access
> > > token belonging to someone else).
> > > <http://cygwin.com/cygwin-ug-net/ntsec.html#NTSEC-SETUID> should explain
> > > this somewhat.
> > > Igor
> > >
> > > On Sun, 1 Jun 2003, Stephen Banville wrote:
> > >
> > > > HI Bruce,
> > > >
> > > > The reason I don't have smbntsec set is because the remote
> > > > volumes are not Samba Shares. The interesting thing here is that when
> > > > I ran an older version of Cygwin, this functionality would work just
> > > > fine.
> > > > I also tried the passwd trick (which didn't work as well.) I can't
> > > > imagine what the problem could be ? At this time I am running out of
> > > > ideas. My only hope at this time would be to enable some sort of a
> > > > debug
> > > > trace to see what component is actually failing during the login.
> > > > Another interesting point to mention is that when I run the 'login'
> > > > command within the shell, I cannot log in under my user name defined
> > > > in
> > > > the /etc/passwd file. Any ideas why this would ? This could somehow be
> > > > related to my problem.
> > > >
> > > > Any help would be welcomed!!
> > > >
> > > > Steve
> > > >
> > > > -----Original Message-----
> > > > From: cygwin-owner@cygwin.com [mailto:cygwin-owner@cygwin.com] On Behalf
> > > > Of Bruce Dobrin
> > > > Sent: Friday, May 30, 2003 8:20 PM
> > > > To: cygwin@cygwin.com
> > > > Subject: Re: NTsec permissions issue over inet
> > > >
> > > > OK, further testing, I can't get the below rlogin "trick" to work on
> > > > a
> > > > 1.3.22 machine, the one it worked on is actually a 1.3.12 machine.
> > > > so,
> > > > with 1.3.12 I can get it to work by forcing a password entry, but
> > > > this
> > > > appears not to work with a 1.3.22 machine........
> > > > continuing more confused than ever...
> > > >
> > > > ----- Original Message -----
> > > > From: "Bruce Dobrin" <dobrin@imageworks.com>
> > > > To: <cygwin@cygwin.com>
> > > > Sent: Friday, May 30, 2003 4:46 PM
> > > > Subject: Re: NTsec permissions issue over inet
> > > >
> > > >
> > > > > Sorry, On re-reading that, it's not as clear as it could be, the
> > > > > example used in the previous e-mail ( below) was on a later
> > > > > version of cygwin, it is not the 1.3.2 machine referred to
> > > > > earlier in the message.
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Bruce Dobrin" <dobrin@imageworks.com>
> > > > > To: <cygwin@cygwin.com>
> > > > > Cc: <cygwin@cygwin.com>
> > > > > Sent: Friday, May 30, 2003 4:37 PM
> > > > > Subject: Re: NTsec permissions issue over inet
> > > > >
> > > > >
> > > > > > Thanks for responding Larry,
> > > > > >
> > > > > > I actually had tried most permutations of (no)ntsec,
> > > > > > (no)smbntsec, (no)ntea, etc... and on other machines that
> > > > > > didn't have weird path or passwd entries. -- no dice
> > > > > >
> > > > > > I think I may have a good hint as to what is going on, but
> > > > > > I'll need someone who knows the system better than I to figure
> > > > > > out the solution.
> > > > > >
> > > > > > By the way I have around 300 machines here, and I found one
> > > > > > which is running cygwin1.3.2 and which works fine. This leads
> > > > > > me to think that it is something to do with the hosts.equiv
> > > > > > functionality which I believe was non functional before at
> > > > > > 1.3.2 ( at least I didn't use it here). I found machine that
> > > > > > if I : forced the user to use a password and I set some
> > > > > > permutations of the permissions... it then works: example:
> > > > > >
> > > > > > dobrin@THEODOLITE:/home/dobrin> rsh gable3
> > > > > > Fanfare!!!
> > > > > > ..........
> > > > > > dobrin@GABLE3:/home/dobrin> echo $CYGWIN
> > > > > > ntea nontsec smbntsec
> > > > > > dobrin@GABLE3:/home/dobrin> cd //matilda/dist
> > > > > > //matilda/dist: Permission denied.
> > > > > >
> > > > > > BUT, If I force a passwd entry:
> > > > > >
> > > > > > dobrin@THEODOLITE:/home/dobrin> rsh gable3 -l poo
> > > > > > Password:
> > > > > > Login incorrect
> > > > > > login: dobrin
> > > > > > Password:
> > > > > > Fanfare!!!
> > > > > > ...........
> > > > > > dobrin@GABLE3:/home/dobrin> echo $CYGWIN
> > > > > > ntea nontsec smbntsec
> > > > > > dobrin@GABLE3:/home/dobrin> cd //matilda/dist
> > > > > > dobrin@GABLE3:/matilda/dist>
> > > > > >
> > > > > >
> > > > > > Unfortunately I don't really think of this as a good solution,
> > > > > > and it doesn't appear to work with my default $CYGWIN setup.
> > > > > > Does this help at all?
> > > > > > Thanks,
> > > > > > Bruce
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Larry Hall" <cygwin@cygwin.com>
> > > > > > To: "Bruce Dobrin" <dobrin@imageworks.com>
> > > > > > Cc: <cygwin@cygwin.com>
> > > > > > Sent: Thursday, May 29, 2003 7:14 PM
> > > > > > Subject: Re: NTsec permissions issue over inet
> > > > > >
> > > > > >
> > > > > > > Bruce Dobrin wrote:
> > > > > > > > Here are the Cygcheck, and Group files, I'll include the
> > > > > > > > my (typical) passwd entry as we have a ( legitimate)
> > > > > > > > policy against publishing our login id's ( I know it
> > > > > > > > doesn't include encrypted passwd's, but with 650 entries,
> > > > > > > > but I'd like to reduce the fodder for someone's foreach
> > > > > > > > loop thru a cracking program).
> > > > > > > >
> > > > > > > > representative passwd entries:
> > > > > > > >
> > > > > > > > SYSTEM:*:18:544:,S-1-5-18::
> > > > > > > > Administrators:*:544:544:,S-1-5-32-544::
> > > > > > > > dobrin:unused_by_nt/2000/xp:11014:10512:Brucester,U-PRODUCTION\dobrin,S-1-5-21-501104424-1911818820-14498641-1014:/home/dobrin:/bin/bash
> > > > > > > >
> > > > > > > > Thanks
> > > > > > > > Bruce Dobrin
> > > > > > >
> > > > > > >
> > > > > > > Partial passwd entries is fine. What you provided is adequate.
> > > > > > >
> > > > > > > The basics look OK. I find two things in common between
> > > > > > > your information and Steve's:
> > > > > > >
> > > > > > > 1. You both appear to have a strange entry in your path. I'm
> > > > > > > not sure if it's some weird artifact of cygcheck or if it's
> > > > > > > actually in the path. In yours, you have a directory that
> > > > > > > looks like this:
> > > > > > >
> > > > > > > "c
> > > > > > > C:\cygwin\program_files\diskaccess\bin"
> > > > > > >
> > > > > > > Steve's is just "c".
> > > > > > >
> > > > > > > 2. You both have a carriage return as the last character in
> > > > > > > either your passwd or group files.
> > > > > > >
> > > > > > > Neither of these are clearly related to this issue but
> > > > > > > should be investigated and cleaned up. Also, neither of you
> > > > > > > set 'smbntsec' in your CYGWIN environment variable (before
> > > > > > > starting Cygwin or any of it's services). Please do, just
> > > > > > > so we can rule this out as an issue. Also, since you both
> > > > > > > claim that this used to work, please try removing 'ntsec'
> > > > > > > and 'smbntsec' and/or adding 'nontsec' to your CYGWIN
> > > > > > > environment variable (before starting Cygwin or any of it's
> > > > > > > services). This should help pinpoint whether turning
> > > > > > > 'ntsec' on by default in recent releases has any bearing.
--
http://cs.nyu.edu/~pechtcha/
|\ _,,,---,,_ pechtcha@cs.nyu.edu
ZZZzz /,`.-'`' -. ;-;;,_ igor@watson.ibm.com
|,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski
'---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster." -- Patrick Naughton
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/