This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: More testing needed: New passwd/group AD/SAM integration


On May 16 16:35, Chris J. Breisch wrote:
> Corinna Vinschen wrote:
> >Thanks for testing.  If you find any other problems or annoyances,
> >please speak up.
> >
> >
> >Thanks,
> >Corinna
> >
> 
> I have a problem with ssh using this on a domain machine.
> 
> $ uname -a
> CYGWIN_NT-6.3 cbreisch-win8 1.7.30s(0.272/5/3) 20140514 11:29:16 x86_64
> Cygwin
> 
> I had ssh set up and working properly before installing the snapshot.
> 
> $ cat /etc/nsswitch.conf
> passwd: files
> group: files
> 
> If I leave it using files, I have no problems.
> 
> So, I change it to db and attempt to restart sshd
> 
> $ cat /etc/nsswitch.conf
> passwd: db
> group: db
> 
> # cygrunsrv -E sshd
> # cygrunsrv -S sshd
> cygrunsrv: Error starting a service: QueryServiceStatus:  Win32 error 1062:
> The service has not been started.

I have it working here so I know it's not a generic problem.  What
you're missing is a look into the system logs.  Assuming you're not
running syslogd, you'll find the sshd log messages in the Windows Event
Viewer under "Windows Logs" -> "Application".  In the logs, ignore the
entire text up to:

  sshd: PID xxxx: 

Only the above line is important.

Do you, by any chance, use privilege separation?  If so, and if the 
non-privileged account called "sshd" is a local account, you have a
problem.  The local account is not in the primary domain, thus its
name is prepended with the machine name, in your case

  CBREISCH-WIN8+sshd

There is no account called "sshd" anymore from the POV of Cygwin.

I have a patch in the loop to recitfy the problem.  It requires two
changes, one of them to Cygwin, which I already checked in, and one of
them to the OpenSSH sources, which I sent upstream, but which hasn't
been applied nor commented upon yet.

For the time being, you have three choices to fix this problem in your
environment and keep the "db" setting:

- Change nsswitch.conf to the default

     passwd: files db
     group:  file db

  Remove all accounts from passwd, except the "sshd" account, so
  the DBs are used for all accounts except "sshd".

- Alternatively, with "db"-only, remove the local account called "sshd"
  and create a domain account in your primary domain called "sshd"
  instead.  This only works with "db_prefix: auto", the default setting,
  otherwise the domain would be prepended to the Windows username.

- Alternatively, switch off privilege separation in /etc/sshd_config.

> Add files back in:
> 
> $ cat /etc/nsswitch.conf
> passwd: db files
> group: db files
> 
> $ cygrunsrv -S sshd
> 
> works perfectly.
> 
> It appears to have something to do with the cyg_server account. Perhaps
> because I set it up before I installed the snapshot? Why would that matter?
> 
> In any event, when set to use files, I can do this:
> 
> $ id cyg_server
> uid=1008(cyg_server) gid=513(None) groups=513(None),0(root),545(Users)
> 
> when only using db, I get
> 
> $ id cyg_server
> id: cyg_server: no such user
> 
> cyg_server does exist on the machine:
> 
> $ net users
> 
> User accounts for \\CBREISCH-WIN8

Same as with the aforementioned "sshd" account.  Try

  $ getent passwd CBREISCH-WIN8+cyg_server

This account naming convention is documented in my preliminary
documentation which I attached to this email again.  See the chapter
"How does it work?"

But the name of the account *running* sshd shouldn't be a problem.
If anything, it's probably the "sshd" account.


Hope that helps,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pwdgrp-doc
Description: Text document

Attachment: pgpw5UKUtITQa.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]