On Sep  3 07:17, Achim Gratz wrote:
> Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> > Don't use privilege separation, then the non-privileged sshd user won't
> > matter at all.  Privsep on Cygwin is only half-useful on Cygwin anyway,
> > if at all.
> 
> I've switched privilege separateion off completely, but no dice.  The Access
> Denied comes from trying to switch from primary group "MACHINE+None" to
> "Domain Users".  That is expected to happen, what I still don't get is why
> the parent process winds up with the exception instead of the originating
> process as on 64bit.

As I wrote, this is a red herring.  A failing setgid is no error at
all.  It has nothing to do with the exception, except for the debug
output preceeding the exception occurance.  Note the

  get_logon_server: DC: server: \\SC301

between them.  This, and the subsequent seterrno_from_win_error in the
parent sshd are a pretty sure sign that the exception is triggered by
the NetUserXXX calls.

> > As for the local cyg_server account, I'm not sure.  Usually,
> > a local machine account has no or only limited access to AD information.
> > As an account which needs AD to get user information it's a bit
> > unfortunate if it doesn't have access.
> 
> When the process comes to this point it has already verified the user via AD.

Yes, but this has nothing to do with it.  Before calling setuid (which
it calls a couple of times during login), sshd calls initgroups for the
new user, POSIX-like.  Initgroups in turn has to call NetUserGetGroups
and NetUserGetLocalGroups on the DC to fetch the full list of groups for
a user.  From the strace it *seems* that the call to NetUserGetGroups in
the grand child sshd process results in simply terminating the process.
The fact that there's no more output *at all* from the grand child
points to Windows killing the process hard.  Lacking any hint why this
occurs, it's just an assumption, of course.

> > The strace shows that it doesn't even *try* to start bash, but it's
> > entirely unclear why.
> 
> Is it possible to run sshd in gdb?

Yes, but Windows/Cygwin gdb don't allow to follow the child process
so it's very tricky.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpE11XR5jp4S.pgp
Description: PGP signature

Reply via email to