This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Unable to run sshd under a domain sshd_server account [SOLVED]

From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
To: cygwin at cygwin dot com
Date: Tue, 13 May 2008 09:37:20 +0200
Subject: Re: Unable to run sshd under a domain sshd_server account [SOLVED]
References: <3B3EFBD49B94AD4DBB7B7097257A8046DD020D@FDSVAST06SXCH01.flooddata.net> <Pine.GSO.4.63.0805121820090.11953@access1.cims.nyu.edu>
Reply-to: cygwin at cygwin dot com

On May 12 18:29, Igor Peshansky wrote:
> On Mon, 12 May 2008, Schutter, Thomas A. wrote:
> 
> > > -----Original Message-----
> > > From: Schutter, Thomas A.
> > > Sent: Monday, May 12, 2008 9:52 AM
> > > To: 'cygwin@XXXXXX.XXX'
> 
> <http://cygwin.com/acronyms/#PCYMTNQREAIYR>.
> 
> > > Subject: Unable to run sshd under a domain sshd_server account
> > >
> > > I am having problems setting up sshd to run under a domain sshd_server
> > > account instead of a local sshd_server account.
> > > [snip]
> > > But when I login via ssh:
> > >   $ echo $USER
> > >   tschutter
> > >   $ echo $USERNAME
> > >   sshd_server
> 
> Yes -- Windows does not understand user impersonation and does not allow
> real user switching.  So what sshd does is invoke processes with the
> appropriate token privileges for the user it's impersonating, while
> updating internal Cygwin data structures, but still running as
> sshd_server.  So Cygwin sees the right user (in its internal state), but
> Windows processes, of course, don't.

That's not correct.  This problem cropped up on the list a lot already.
When not using password authentication, Cygwin has to create a user
token from scratch.  The resulting processes are running under a normal
user token with correctly set user and group ownership.  What's missing
is a logon session for this user because only a LSA authentication
module can do that.  As a result, the processes of the new user are
running in the logon session of the user running sshd.  And here's the
problem.  For some reason, the appropriate Windows functions like
LookupAcccountSid identify the user token's user SID incorrectly as the
user who's owning the logon session.  And that's all:  The connection
SID <-> Username is broken.  The token itself is ok.  Usually that's
not a big deal, except that some WIndows application stumble over that,
like some Visual Studio stuff.

The way to fix this is to use a special LSA authentication module which
will be available with the next major release of Cygwin.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Follow-Ups:
- RE: Unable to run sshd under a domain sshd_server account [SOLVED]
  - From: Schutter, Thomas A.

References:
- RE: Unable to run sshd under a domain sshd_server account [SOLVED]
  - From: Schutter, Thomas A.
- RE: Unable to run sshd under a domain sshd_server account [SOLVED]
  - From: Igor Peshansky

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]