This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)


/I'm attaching the whoami results:

whoami-win.txt - whoami ran when logged on the Windows computer directly (both OFFICE\test1 and SM2WIN2003\local1)

whoami-ssh.txt - whoami ran while ssh-ed in as the user test1 (in both cases, with and without the Test User group in /etc/group) and user local1

The interesting observations are:
- when ssh-ed as user test1, the SID reported by whoami is the correct SID of the user in both cases. In one case the name is correct, in the other the name is sshd_server
- when ssh-ed as user test1 with the stripped off /etc/group such that whoami displays the right user, the group information is almost identical to whoami ran logged on directly through Windows, with the exception of group LOCAL, missing.


(also forgot to mention, the credit for the idea of stripping off /etc/group goes to Dave Perdue)


From/: "Larry Hall (Cygwin)" <reply-to-list-only-lh at cygwin dot com>/
To/: cygwin at cygwin dot com/
Date/: Wed, 30 Aug 2006 17:54:57 -0400/
Subject/: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)/
References/: <44F5FD93.1020503@asperasoft.com <http://cygwin.com/ml/cygwin/2006-08/msg01056.html>>/
Reply-to/: cygwin at cygwin dot com



Serban Simu wrote:


   I did notice a number of postings around this subject, but couldn't
   see a resolution (Corinna answered a Feb '06 posting by Dave Perdue
   that the problem should be fixed in 1.5.20, which is why I'm
   reposting for 1.5.21).

   I am exclusively using password auth (and am aware of the pubkey
   auth limitations).

   The basic setup is a Win 2003 R2 standard server, member of a domain
   (machine name is SM2WIN2003 and domain is OFFICE). Installed 1.5.21
   and ran ssh-host-config. All goes well and I have sshd service
   running as local user sshd_server.

   Then ran mkpasswd and mkgroup:
   mkpasswd -l > /etc/passwd
   mkpasswd -d >> /etc/passwd (I only have one domain so this is same
   as mkpasswd -d OFFICE)
   mkgroup -l > /etc/group
   mkgroup -d >> /etc/group

   If I ssh as a local user "local1", windows whoami returns
   sm2win2003\local1
   If I ssh as domain user "test1", windows whoami returns
   sm2win2003\sshd_server (BAD)

   If I strip the /etc/group file to only:
   SYSTEM:S-1-5-18:18:
   None:S-1-5-21-3712540747-3723856708-2352634044-513:513:
   Domain Users:S-1-5-21-4293257363-1756470469-1603820055-513:10513:
   Then ssh as domain user "test1", windows whoami returns office\test1
   (GOOD)

   Now, I tried adding the minimum possible to /etc/group to create the
   problem, so if I just add one line:
   SYSTEM:S-1-5-18:18:
   None:S-1-5-21-3712540747-3723856708-2352634044-513:513:
   Domain Users:S-1-5-21-4293257363-1756470469-1603820055-513:10513:
   Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:
   Then ssh as domain user "test1", windows whoami returns
   sm2win2003\sshd_server (BAD)

My domain user test1 is a member of domain group Test Users.

So my questions would be:

   (1) I did find a work around, but what is the explanation of this
   problem and what is a good, solid work around?
   (2) Is there a way and a plan to straighten this behavior, and maybe
   document the usage in Win 2003 domain environments (I'm assuming
   that most people would be interested in accessing network resources
   in Win 2003 domains, which is why this is a problem in the first place)

   Also, I believe that I didn't have this problem on older Win 2003
   (before R2), but I no longer have a test setup to confirm it.

Attached is the full "whoami /all" output and cygcheck.out.



Interesting results.  It would be interesting to see what "whoami /all"
reports for these users locally as well, without the sshd "filter".  I
expect the issue at hand here is that one group for each user is the
primary group.  My WAG is that "Test Users" is the primary group for
the user "test1".  Off the top of my head, it's not clear how adding
the group to the '/etc/group' file changes things though.


-- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746


##########################################################################
#         Locally logged in user OFFICE\test1                            #
##########################################################################

USER INFORMATION
----------------

User Name    SID                                           
============ ==============================================
office\test1 S-1-5-21-4293257363-1756470469-1603820055-1125


GROUP INFORMATION
-----------------

Group Name                       Type             SID                                            Attributes                                                     
================================ ================ ============================================== ===============================================================
Everyone                         Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group             
BUILTIN\Administrators           Alias            S-1-5-32-544                                   Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                    Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\INTERACTIVE         Well-known group S-1-5-4                                        Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization   Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group             
LOCAL                            Well-known group S-1-2-0                                        Mandatory group, Enabled by default, Enabled group             
OFFICE\Test Users                Group            S-1-5-21-4293257363-1756470469-1603820055-1123 Mandatory group, Enabled by default, Enabled group             


PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 




##########################################################################
#         Locally logged in user SM2WIN2003\local1                       #
##########################################################################

USER INFORMATION
----------------

User Name         SID                                           
================= ==============================================
sm2win2003\local1 S-1-5-21-3712540747-3723856708-2352634044-1009


GROUP INFORMATION
-----------------

Group Name                       Type             SID          Attributes                                        
================================ ================ ============ ==================================================
Everyone                         Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                    Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE         Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization   Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                            Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name          Description              State  
======================= ======================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled


#####################################################################
#                LOGIN AS LOCAL USER local1                         #
#####################################################################

C:\>ssh local1@192.168.3.54
local1@192.168.3.54's password:

local1@sm2win2003 ~$ C:/windows/system32/whoami /all

USER INFORMATION
----------------

User Name         SID
================= ==============================================
sm2win2003\local1 S-1-5-21-3712540747-3723856708-2352634044-1009


GROUP INFORMATION
-----------------

Group Name                       Type             SID          Attributes
================================ ================ ============ ==================================================
Everyone                         Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                    Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE         Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization   Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name          Description              State
======================= ======================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled

local1@sm2win2003 ~
$ exit
logout
Connection to 192.168.3.54 closed.


#####################################################################
#       LOGIN AS DOMAIN USER test1 (/etc/group has Test Users)      #
#####################################################################


C:\>ssh test1@192.168.3.54
test1@192.168.3.54's password:
Last login: Wed Aug 30 11:43:21 2006 from 192.168.1.12

test1@sm2win2003 ~$ c:/windows/system32/whoami /all

USER INFORMATION
----------------

User Name              SID
====================== ==============================================
sm2win2003\sshd_server S-1-5-21-4293257363-1756470469-1603820055-1125


GROUP INFORMATION
-----------------

Group Name                       Type             SID          Attributes
================================ ================ ============ ==================================================
Everyone                         Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
LOCAL                            Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE             Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators           Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                    Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State
=============================== ========================================= =======
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled
SeSecurityPrivilege             Manage auditing and security log          Enabled
SeBackupPrivilege               Back up files and directories             Enabled
SeRestorePrivilege              Restore files and directories             Enabled
SeSystemtimePrivilege           Change the system time                    Enabled
SeShutdownPrivilege             Shut down the system                      Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Enabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Enabled
SeDebugPrivilege                Debug programs                            Enabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Enabled
SeSystemProfilePrivilege        Profile system performance                Enabled
SeProfileSingleProcessPrivilege Profile single process                    Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Enabled
SeLoadDriverPrivilege           Load and unload device drivers            Enabled
SeCreatePagefilePrivilege       Create a pagefile                         Enabled
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Enabled
SeUndockPrivilege               Remove computer from docking station      Enabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Enabled

test1@sm2win2003 ~
$ exit
logout
Connection to 192.168.3.54 closed.


#####################################################################
#  LOGIN AS DOMAIN USER test1 (/etc/group doesn't have Test Users)  #
#####################################################################


C:\Documents and Settings\asp1\Desktop>ssh test1@192.168.3.54
test1@192.168.3.54's password:
Last login: Wed Aug 30 13:05:37 2006 from 192.168.1.12

test1@sm2win2003 ~
$ c:/windows/system32/whoami /all

USER INFORMATION
----------------

User Name    SID
============ ==============================================
office\test1 S-1-5-21-4293257363-1756470469-1603820055-1125


GROUP INFORMATION
-----------------

Group Name                       Type             SID                                            Attributes

================================ ================ =====================================================================
Everyone                         Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators           Alias            S-1-5-32-544                                   Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                    Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE         Well-known group S-1-5-4                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization   Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
OFFICE\Test Users                Group            S-1-5-21-4293257363-1756470469-1603820055-1123 Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State
=============================== ========================================= ========
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled

test1@sm2win2003 ~
$ exit
logout
Connection to 192.168.3.54 closed.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]