This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [openssh] service with domain user


On Apr 21 14:56, Julio Costa wrote:
> Hi Cygwinners,
> 
> I've been struggling with an openssh instalation in a test
> environment, with the following characteristics:
> 1) Host is a Windows 2003 sp2; So, privsep is enforced;
> 2) Installation of cygwin made with a domain user (local admin);
> 3) Main objective of sshd: file transfers and remote shell for either
> domain users (regular or admin) and local users (restricted only);
> 
> After many tries and tests, I've come to the conclusion that for
> achieving 3), the sshd deamon should run with a domain user; no
> problem, we allocated one for that purpose.
> But now I can't make ssh(d) work correctly. I used the "trick" of
> adding the domain user to passwd and renaming it to cyg_server, and
> indeed the service got installed with the correct domain user, no
> questions asked (thanks, Corinna!).
> But, that's the end of the story.
> I can't make ssh work, and typically the message I see in logs is like
> this: "sshd: PID 3572: fatal: seteuid 18606: Permission denied"
> 
> I thought that the correct permissions/privileges were assigned in the
> ssh-host-config... isn't that so? How do I find what is missing?

No, ssh-host-config can only set the user rights for the local account,
and it only does so if it has been asked to create the account.  If you
pre-create the account (as you have to do if you use a domain account),
you're responsible to give it the necessary rights yourself.

I, for one, created a cyg_server account using ssh-host-config on the 
domain controller, then created a domain policy to propagate the
necessary permissions to other machines in the domain.  You can also
create the important rights(*) for this user on a per-machine base
using editrights or native Windows tools.


Corinna

(*) Act as part of the operating system,
    Create a token object,
    Replace a process level token
    Log on as a service

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]