This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: chmod/chown + ntsec doesn't work (was OpenSSH and RSA authentication problems)


Corrina,

On Fri, Oct 26, 2001 at 08:00:24PM +0200, Corinna Vinschen wrote:
> On Thu, Oct 25, 2001 at 02:12:44PM -0400, Jason Tishler wrote:
> > I know that it has been noted that one cannot access network shares from
> > a ssh login due to running under the LocalSystem account.  But, I was
> > surprised by the chown and start/stop service restrictions since I
> > perceived them to be local operations.
> 
> I'm surprised, too.  I don't have a domain environment so I can't
> test that further.  Are you sure that you're not just restricted
> due to either having /etc/passwd or /etc/group not setup correctly

AFAICT, I have set up my passwd/group file correctly.  The procedure
that I use in a domain environment is execute mkpasswd/mkgroup -l and
then append the appropriate entries from mkpasswd/mkgroup -d.

> or actually having restrictions due to domain policy?

I'm not sure what you mean by "domain policy."  Can a Windows domain
policy cause the restrictions being observed?

Nevertheless, I now better understand why chown was not working under
ssh via key exchange:

$ ssh tishlmob2d1m701 id
uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),545(Users),10513(Domain Users),12093(Software Engineering)

Note that Windows does not think that I am in the local Administrators
group.  Hence, I'm not able to chown, net start/stop, etc.

But, if I ssh via password exchange:

$ ssh -1 tishlmob2d1m701 id
jtishler@tishlmob2d1m701's password: 
uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),544(Administrators),545(Users),10513(Domain Users),12093(Software Engineering)

then Windows does.  Why?  Unfortunately, I don't (currently) know.

Here is another example:

$ ssh raidboston id
uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),545(Users),10513(Domain Users),12093(Software Engineering

$ ssh -1 raidboston id
jtishler@raidboston's password: 
uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),544(Administrators),545(Users),1001(cvs-change-local),1000(cvsfull-local),10513(Domain Users),12093(Software Engineering)

Note that cvs-change-local and cvsfull-local are local groups.  So,
it appears that when one uses ssh key exchange to a domain machine,
then Windows does not think that the user is a member of any local group
except possibly Everyone.  Is Everyone a local or domain group?

BTW, the local group membership problem also affects cron usage in domain
environments -- to no great surprise.

Jason

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]