This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: group"S-1-2-0"(users who login locally)in ssh;windows 2003


On Wed 8/23/06 9:43 +0200 cygwin@cygwin.com wrote:
> On Aug 21 11:13, Tom Rodman wrote:
> > On Fri 8/18/06 16:28 +0200 cygwin@cygwin.com wrote:
> > > The trick using /etc/group only works for password-LESS authentication,
> > > sorry for not mentioning it, but usually the problems reported here are
> > > with passwordless authentication so I just assumed this is the case here, too.  
> > 
> > A trick using /etc/group *does* work for password authentication - at
> > least for domain groups. We edit /etc/group, every day via a cron job -
> 
> Hmm, I'm a bit irritated since actually it can't work, at least not as
> you'd expect.  If a user token created by a password logon is not matching
> the groups you added it to, the token is treated as invalid.  This would
> happen, for instance, if the authenticating application (say, sshd), uses
> setgroups(2) with an entirely different set of groups.  The result is that
> a new token is created in Cygwin, which has nothing to do with the 
> orinal password token.  Especially the new token is missing the network
> credentials and the user is again running in the wrong logon session.
> This is all a bit tricky.  Right now, I don't know if it's possible to
> create a token with network credentials at all.

Thanks as always for responding Corinna.

I'm answering somewhat hurriedly, let me know if you need more specifics..

Here is empirical evidence that our password authenticated ssh
sessions benefit from daily automatic edits of /etc/group:

  $ whoami #we're now in a password authenticated session to server OurSrvr065
  adm_usr1
  $ pwd -P; mount |grep /adm
  /adm/sa/tmp
  \\OurSrvr063\tcm\adm on /adm type system (binmode,noexec)
  $ uname -a
  CYGWIN_NT-5.2 OurSrvr065 1.5.20s(0.155/4/2) 20060403 13:33:45 i686 Cygwin
  $ pwd -P; mount |grep /adm
  /adm/sa/tmp
  \\OurSrvr063\tcm\adm on /adm type system (binmode,noexec)
  $ grep adm_usr1 /etc/group|sed -eG  #sorry I'm not wrapping these lines
  ABC_NA-CTX-Notepad-A:S-1-5-21-1390067357-1202660629-682003330-9858:19858:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root

  ABC_NA-DOMxx0-tcm-Users-A:S-1-5-21-1390067357-1202660629-682003330-9968:19968:staffuser2,adm_usr1

  Domain Users:S-1-5-21-1390067357-1202660629-682003330-513:10513:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root

  XYZ_BLD_MGR:S-1-5-21-1390067357-1202660629-682003330-6025:16025:staffuser2,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root

  XYZ_ES_ADMIN:S-1-5-21-1390067357-1202660629-682003330-6026:16026:staffuser1,adm_usr1,adm_usr2,doejohn

  XYZ_ES_STAFF:S-1-5-21-1390067357-1202660629-682003330-6027:16027:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root

  XYZ_Users:S-1-5-21-1390067357-1202660629-682003330-6024:16024:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root

  $ id -G; id -Gn
  16027 544 19858 19968 10513 16025 16026 16024 545
  XYZ_ES_STAFF Administrators ABC_NA-CTX-Notepad-A ABC_NA-DOMxx0-tcm-Users-A Domain Users XYZ_BLD_MGR XYZ_ES_ADMIN XYZ_Users Users
  $ getfacl .
  # file: .
  # owner: staffuser2
  # group: XYZ_ES_STAFF
  user::rwx
  group::rwx
  mask:rwx
  other:rwx
  default:user::rwx
  default:group::rwx
  default:other:rwx
  $ dacl -s //OurSrvr063/tcm #an alias for "setacl", setacl dumps windows permissions for the share:
  + setacl -on '\\OurSrvr063\tcm' -ot shr -actn list -lst 'f:tab;w:o,g,d,s;i:y;s:n'
  \\OurSrvr063\tcm

     Owner: BUILTIN\Administrators

     Group: DOMxx1\Domain Users

     DACL(not_protected):
     BUILTIN\Administrators   full   allow   no_inheritance
     DOMxx1\C200-DL-APP-XYZUsers   full   allow   no_inheritance
     Everyone   read   allow   no_inheritance
     DOMxx1\XYZ_Users   full   allow   no_inheritance
     DOMxx0\XYZ_USERS   full   allow   no_inheritance


  SetACL finished successfully.
  + set +x
  $ touch toss686867
  $ echo hi > toss686867  #writing to a file on a network share in a password autheticated ssh session
  $ ls -l toss686867
  -rw-rw-r-- 1 adm_usr1 XYZ_ES_STAFF 3 Aug 23 12:43 toss686867
  $ rm toss686867
  $ egrep '^XYZ_BLD_MGR' /etc/group #notice "adm_usr1" has been added, we will soon remove him..
  XYZ_BLD_MGR:S-1-5-21-1390067357-1202660629-682003330-6025:16025:staffuser2,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root
  $ perl -pe 's~adm_usr1,~~ if (m{^XYZ_BLD_MGR});' /etc/group|grep XYZ_BLD_MGR
  XYZ_BLD_MGR:S-1-5-21-1390067357-1202660629-682003330-6025:16025:staffuser2,adm_usr2,doejohn,crodmat,bcm_root
  $ cd /etc
  $ cp group /tmp
  $ perl -ibackup_wed01 -pe 's~adm_usr1,~~ if (m{^XYZ_BLD_MGR});' /etc/group #removing adm_usr1
  $ diff /etc/group /tmp #the perl /etc/group edit above will position next ssh session to fail..
  --- /etc/group  2006-08-23 12:47:50.840153600 -0500
  +++ /tmp/group  2006-08-23 07:10:33.525216000 -0500
  @@ -2214,7 +2214,7 @@
   SBE-CG_SBE_OFFICE:S-1-5-21-1390067357-1202660629-682003330-12336:22336:
   SBE-Everyone:S-1-5-21-1390067357-1202660629-682003330-12335:22335:
   SBE_Everyone:S-1-5-21-1390067357-1202660629-682003330-12337:22337:
  -XYZ_BLD_MGR:S-1-5-21-1390067357-1202660629-682003330-6025:16025:staffuser2,adm_usr2,doejohn,crodmat,bcm_root
  +XYZ_BLD_MGR:S-1-5-21-1390067357-1202660629-682003330-6025:16025:staffuser2,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root
   XYZ_ES_ADMIN:S-1-5-21-1390067357-1202660629-682003330-6026:16026:staffuser1,adm_usr1,adm_usr2,doejohn
   XYZ_ES_STAFF:S-1-5-21-1390067357-1202660629-682003330-6027:16027:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root
   XYZ_Users:S-1-5-21-1390067357-1202660629-682003330-6024:16024:staffuser2,staffuser1,adm_usr1,adm_usr2,doejohn,crodmat,bcm_root
  $ exit
  logout
  Connection to OurSrvr065 closed.
  --snip
  [12:49:24 Wed Aug 23 0j 36 2354 ~/Mail]
  [localhost rodmant]$ ssh OurSrvr065 -l adm_usr1
  adm_usr1@OurSrvr065's password:
  Last login: Wed Aug 23 12:48:54 2006 from 10.165.10.182
  Welcome to ITZG compile engine ..
  Could not chdir to home directory /user/adm_usr1: Permission denied
  -bash: /etc/profile: Permission denied
  -bash: /user/adm_usr1/.bash_profile: Permission denied
  -bash-3.00$ cd /etc
  -bash-3.00$ cat /tmp/group > group #adm_usr1 put back in domain group 16025 again
  -bash-3.00$ exit # next ssh session will be able to write to network drives again
  logout
  -bash: /user/adm_usr1/.bash_logout: Permission denied
  Connection to OurSrvr065 closed.
  [12:50:02 Wed Aug 23 0j 36 2354 ~/Mail]
  [localhost rodmant]$ ssh OurSrvr065 -l adm_usr1  # start another password authenticated session
  adm_usr1@OurSrvr065's password:
  Last login: Wed Aug 23 12:49:39 2006 from 10.165.10.182
  Welcome to ITZG compile engine ..
  $ cd /adm/sa/tmp
  $ touch toss9879789
  $ echo hi >> toss9879789
  $

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]