On Sep 3 07:17, Achim Gratz wrote: > Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes: > > Don't use privilege separation, then the non-privileged sshd user won't > > matter at all. Privsep on Cygwin is only half-useful on Cygwin anyway, > > if at all. > > I've switched privilege separateion off completely, but no dice. The Access > Denied comes from trying to switch from primary group "MACHINE+None" to > "Domain Users". That is expected to happen, what I still don't get is why > the parent process winds up with the exception instead of the originating > process as on 64bit.
As I wrote, this is a red herring. A failing setgid is no error at all. It has nothing to do with the exception, except for the debug output preceeding the exception occurance. Note the get_logon_server: DC: server: \\SC301 between them. This, and the subsequent seterrno_from_win_error in the parent sshd are a pretty sure sign that the exception is triggered by the NetUserXXX calls. > > As for the local cyg_server account, I'm not sure. Usually, > > a local machine account has no or only limited access to AD information. > > As an account which needs AD to get user information it's a bit > > unfortunate if it doesn't have access. > > When the process comes to this point it has already verified the user via AD. Yes, but this has nothing to do with it. Before calling setuid (which it calls a couple of times during login), sshd calls initgroups for the new user, POSIX-like. Initgroups in turn has to call NetUserGetGroups and NetUserGetLocalGroups on the DC to fetch the full list of groups for a user. From the strace it *seems* that the call to NetUserGetGroups in the grand child sshd process results in simply terminating the process. The fact that there's no more output *at all* from the grand child points to Windows killing the process hard. Lacking any hint why this occurs, it's just an assumption, of course. > > The strace shows that it doesn't even *try* to start bash, but it's > > entirely unclear why. > > Is it possible to run sshd in gdb? Yes, but Windows/Cygwin gdb don't allow to follow the child process so it's very tricky. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
pgpE11XR5jp4S.pgp
Description: PGP signature