This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Unable to run sshd under a domain sshd_server account [SOLVED]
- From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
- To: cygwin at cygwin dot com
- Cc: "Schutter, Thomas A." <tschutter at proxix dot com>
- Date: Mon, 16 Jun 2008 23:01:05 +0200
- Subject: Re: Unable to run sshd under a domain sshd_server account [SOLVED]
- References: <3B3EFBD49B94AD4DBB7B7097257A8046DD020D@FDSVAST06SXCH01.flooddata.net> <Pine.GSO.4.63.0805121820090.11953@access1.cims.nyu.edu> <20080513073720.GA22193@calimero.vinschen.de> <3B3EFBD49B94AD4DBB7B7097257A8046DD02FC@FDSVAST06SXCH01.flooddata.net>
- Reply-to: cygwin at cygwin dot com
Hi Thomas,
On May 13 11:09, Schutter, Thomas A. wrote:
> Except that is not what I am seeing. When I run "id" from a console
> cygwin shell:
> $ id
> uid=18718(tschutter) gid=10513(Domain Users)
> groups=544(Administrators),545(Users),10513(Domain
> Users),18169(FDSV-GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins)
>
> But when I run "id" from a ssh shell:
> $ id
> uid=18718(tschutter) gid=10513(Domain Users)
> groups=545(Users),10513(Domain Users)
>
> So when I am using pubkey authentication, the user token is not a member
> of the "Administrators", "FDSV-GG-PrxBLD", or "FDSV-GG-PrxPCAdmins"
> groups.
Dunno if you fixed this problem in the meantime? I tested this myself
and debugged this situation. It turned out (in *my* local scenario),
the the PDC refused to list the groups the user is member of:
$ id
uid=11001(corinna) gid=10513(DomUsers) groups=545(Users),10513(DomUsers)
The problem was that the domain sshd_server account has no right to
access the domain controller from the network. Solution: Open the Local
Security Policy of the DC and look for the User Right "Deny access to
this computer from the network". You'll find your sshd_server user in
there. Remove it from this user right. Try again:
$ id
uid=11001(corinna) gid=10513(DomUsers) groups=544(Administrators),
545(Users),10512(DomAdmins),10513(DomUsers)
If that doesn't help, you'll probbaly have an overriding Domain
Controller Security Policy set. Look there, set (or reset) the "Deny
access to this computer from the network" user right accordingly and try
again.
HTH,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/