This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: group"S-1-2-0"(users who login locally)in ssh;windows 2003


On Aug 18 08:35, Tom Rodman wrote:
> On Fri 8/18/06 8:58 +0200 cygwin@cygwin.com wrote:
> > On Aug 17 18:49, Tom Rodman wrote:
> > > 
> > > tried that.. no joy, take a look:
> > > --v-v------------------C-U-T---H-E-R-E-------------------------v-v-- 
> > >   $ $WINDIR/system32/whoami /all #we're in an ssh session before edits made to /etc/group
> > >   
> > >   USER INFORMATION
> > >   ----------------
> > >   
> > >   User Name  SID
> > >   ========== =============================================
> > >   DOMxx1\adm_usr1 S-1-5-21-1390067357-1202660629-682003330-5774
> > 
> > Must be a password logon session, otherwise you would not see this
> > user name here, but sshd_server.
> 
> Your right, it is a *password authenticated* logon session, such sessions are
> fine w/me for system administration work. On a separate issue, rightly
> or wrongly we use an expect script w/cron to schedule cron jobs that
> access and change files on network shares.

That's bad.  The user token created by cron is the same style as the
user token created with ssh /w pubkey authentication.  The main problem
is that the token has no network credentials.  There's no way around
that, not for the time being, not ever.  The only way to access network
shares using a cron job is to access public shares, or the cron job has
access to the necessary user/password combination and calls `net use'
directly.  And even then, you can only access the shares directly
(//server/share), not with drive letters.

But, Tom, this is all not new.  This has been talked about in this list
for years, really.  You should be able to find that information eaasily
by googling.

> again - A home dir on a network share, works fine for us w/password
> authentication, so the original post/problem is for the password
> authentication case - sorry I did not make that clear :-<

The trick using /etc/group only works for password-LESS authentication,
sorry for not mentioning it, but usually the problems reported here are
with passwordless authentication so I just assumed this is the case here,
too.  The /etc/group trick can work, though.  The code is just not in
Cygwin.  I put this on my TODO list for an upcoming Cygwin version, but
don't hold your breath.

> It would be interesting to see if you or otheres can duplicate the problem,
> using password authentication.

Yes, I can duplicate this with password authentication.  However, keep
in mind that the token is generated by Windows.  The token is not
further massaged by Cygwin, so whether or not the LOCAL group is
available in the token is not under control of Cygwin.

> Yes I see the local group "S-1-2-0", but when I ssh'd in, I typed the
> password in for this session and so I expect "whoami /all" to return
> the username that goes with the password - more importantly I need the
> credentials to write to the network shares, that I normally get when
> using ssh via password authentication.

No go.  Either you use password authentication, then you get the correct
username and network credentials, or you use pubkey authentication and
Windows returns the wrong username and you don't have network credentials.
I have a solution which allows to get the right username at one point
(again, don't hold your breath), but when you don't give a password
at logon time, where should the network credentials come from?  This
will never work.

> I appreciate your help on this Corinna, *thank-you*.  Most work I do does
> not seem to require membership in "S-1-2-0", so it's not that big a deal.
> 
> > This is a long standing problem, for
> > years.  There's no workaround for the time being.  However, if you take
> > a look into the user token of the process using other means
> > (OpenProcessToken/GetTokenInformation), you'll see that the token user,
> > as well as the token owner is set to the user account you logged in to,
> > DOMxx1\adm_usr1 in this case.  
> 
> Thanks, I trust your right, I don't have the experience or time to
> write a simple tool using (OpenProcessToken/GetTokenInformation); maybe
> I can google and find such a tool..

Take the attached file and compile with g++.  It's my crude token
helper application I'm using for some years now.  It shows the
access token you're using when calling the application.  The SIDs are
not translated in user or group names because I don't need that.
Without arguments, everything but the user rights are printed,
with any argument, it also prints the user rights.


HTH,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

Attachment: gti.cc
Description: Text document

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]