This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
- From: Charles Wilson <cygwin at cwilson dot fastmail dot fm>
- To: cygwin at cygwin dot com
- Date: Sat, 19 Jul 2008 16:46:45 -0400
- Subject: Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])
- References: <3B3EFBD49B94AD4DBB7B7097257A8046DD020D@FDSVAST06SXCH01.flooddata.net> <Pine.GSO.4.63.0805121820090.11953@access1.cims.nyu.edu> <20080513073720.GA22193@calimero.vinschen.de> <3B3EFBD49B94AD4DBB7B7097257A8046DD02FC@FDSVAST06SXCH01.flooddata.net> <20080616210105.GI731@calimero.vinschen.de> <20080616211352.GK731@calimero.vinschen.de> <48821B9F.6070907@cwilson.fastmail.fm> <20080719171235.GO5675@calimero.vinschen.de>
Corinna Vinschen wrote:
However, I sent a second patch in
http://cygwin.com/ml/cygwin/2008-06/msg00453.html
The Interactive Logon Right is also necessary for this account.
I don't know why I missed that. I'll roll 0.1.6 soon.
What also doesn't work well is this: In a domain I might want a
cyg_server domain account, rather than a local account on each
machine. The reason is that the rights of the domain account can
be nicely controlled via group policy. That won't work for local
accounts on the domain member machines. Therefore, if a cyg_server
account exists in /etc/passwd, I think it should be used.
I'm afraid I have no access to a domain account on which I can test this
sort of thing (I mean, I /do/ have a domain account at work, but I can't
experiment with adding new domain accounts, nor manipulate their privileges.
This is the primary function that obtains a list of all "candidate"
privileged accounts (unless the user has already set
csih_PRIVILEGED_USERNAME)
csih_privileged_accounts()
{
csih_stacktrace "${@}"
$_csih_trace
local username
local accounts
local first_account
if ( csih_is_nt2003 || [ csih_is_nt -a "x$csih_FORCE_PRIVILEGED_USER"
= "xyes" ] )
then
if [ -z "${_csih_all_preexisting_privileged_accounts}" ]
then
for username in cyg_server cron_server sshd_server
do
if net user "${username}" 1> /dev/null 2>&1
then
[ -z "${first_account}" ] && first_account="${username}"
accounts="${accounts}'${username}' "
fi
done
if [ -n "${accounts}" ]
then
_csih_all_preexisting_privileged_accounts="${accounts}"
_csih_preferred_preexisting_privileged_account="${first_account}"
fi
fi
fi
} # === End of csih_privileged_accounts() === #
I imagine you are suggesting that the following loop:
for username in cyg_server cron_server sshd_server
do
if net user "${username}" 1> /dev/null 2>&1
then
[ -z "${first_account}" ] && first_account="${username}"
accounts="${accounts}'${username}' "
fi
done
Should be modified somehow, perhaps (UNTESTED):
for username in cyg_server cron_server sshd_server
do
if egrep "^${username}:" /etc/passwd 1>/dev/null 2>&1 ||
net user "${username}" 1> /dev/null 2>&1
then
[ -z "${first_account}" ] && first_account="${username}"
accounts="${accounts}'${username}' "
fi
done
However, note that at present there is no provision in csih to
"decorate" user names with domain information (e.g.
username="MyDomain\cyg_server". It /might/ work, if you manually set
csih_PRIVILEGED_USERNAME that way, but I haven't tested it -- and have
no way to do so. It would be serendipitous at best if that worked. But
I'm not sure you really /need/ that -- if the privileged domain user is
in the active domain of the computer on which you want to use that
privileged account (e.g. to run sshd)...which I imagine is the use case
under consideration here...I don't think you really /need/ to explicitly
specify the domain.
--
Chuck
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/