CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

Oh, btw., Charles, that's one for you. On Jun 16 23:01, Corinna Vinschen wrote: > On May 13 11:09, Schutter, Thomas A. wrote: > > Except that is not what I am seeing. When I run "id" from a console > > cygwin shell: > > $ id > > uid=18718(tschutter) gid=10513(Domain Users) > > groups=544(Admi

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

Charles, Ping? On Jun 16 23:13, Corinna Vinschen wrote: > Oh, btw., Charles, that's one for you. > > On Jun 16 23:01, Corinna Vinschen wrote: > > On May 13 11:09, Schutter, Thomas A. wrote: > > > So when I am using pubkey authentication, the user token is not a member > > > of the "Administrators

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

Corinna Vinschen wrote: Oh, btw., Charles, that's one for you. On Jun 16 23:01, Corinna Vinschen wrote: On May 13 11:09, Schutter, Thomas A. wrote: The problem was that the domain sshd_server account has no right to access the domain controller from the network. Solution: Open the Local Securi

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

On Jul 19 12:51, Charles Wilson wrote: > Corinna Vinschen wrote: >> Oh, btw., Charles, that's one for you. >> On Jun 16 23:01, Corinna Vinschen wrote: >>> On May 13 11:09, Schutter, Thomas A. wrote: >>> The problem was that the domain sshd_server account has no right to >>> access the domain contro

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

Corinna Vinschen wrote: However, I sent a second patch in http://cygwin.com/ml/cygwin/2008-06/msg00453.html The Interactive Logon Right is also necessary for this account. I don't know why I missed that. I'll roll 0.1.6 soon. What also doesn't work well is this: In a domain I might want a c

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

Charles Wilson wrote: Corinna Vinschen wrote: However, I sent a second patch in http://cygwin.com/ml/cygwin/2008-06/msg00453.html The Interactive Logon Right is also necessary for this account. I don't know why I missed that. I'll roll 0.1.6 soon. Here's the followup patch I applied (with m

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

On Jul 19 16:46, Charles Wilson wrote: > Corinna Vinschen wrote: > >> However, I sent a second patch in >> http://cygwin.com/ml/cygwin/2008-06/msg00453.html >> The Interactive Logon Right is also necessary for this account. > > I don't know why I missed that. I'll roll 0.1.6 soon. Thanks. >> What

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

On Jul 20 14:27, Corinna Vinschen wrote: > On Jul 19 16:46, Charles Wilson wrote: > > Should be modified somehow, perhaps (UNTESTED): > > > > for username in cyg_server cron_server sshd_server > > do > > if egrep "^${username}:" /etc/passwd 1>/dev/null 2>&1 || > >net

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

Corinna Vinschen wrote: Along these lines, yes. I also think that using the cyg_server/ cron_server/sshd_server account should be preferred over SYSTEM on XP and earlier systems, at least if they are domain member machines. Maybe simply like this: The test should run on any OS, but if none of

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

Hi Chuck, On Aug 4 21:31, Charles Wilson wrote: > Corinna Vinschen wrote: >> Btw., there's a test for the administrators group in /etc/passwd. >> This test is not necessary. The only reason to have the admins >> group in /etc/passwd is to print file ownership correctly. It doesn't >> have any o

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

Corinna Vinschen wrote: Hi Chuck, On Aug 4 21:31, Charles Wilson wrote: Corinna Vinschen wrote: Btw., there's a test for the administrators group in /etc/passwd. I don't see this. I see testing /etc/passwd for the (local) Administrator USER, and testing /etc/group for the Administrators G

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

On Aug 7 11:25, Charles Wilson wrote: > Corinna Vinschen wrote: >> Hi Chuck, >> On Aug 4 21:31, Charles Wilson wrote: >>> Corinna Vinschen wrote: Btw., there's a test for the administrators group in /etc/passwd. > > >>> I don't see this. I see testing /etc/passwd for the (local) Administrato

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

Corinna Vinschen wrote: No, the above lines are checking for the passwd entry for the administrators group. S-1-5-32-544 is the SID of that group. The SID for the Administrator user is S-1-5-21-X-Y-Z-500. D'oh. Right. Now, about csih_check_access() -- without exact knowledge of csih_ADMINS

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

On Aug 7 12:19, Charles Wilson wrote: > Corinna Vinschen wrote: >> Well, hmm. In theory, admins have backup/restore rights anyway. >> However, I was just thinking that csih should get rid of points of >> failure which are not entirely necessary, like the checks for denied >> user rights. If you

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

Corinna Vinschen wrote: We can require Administrators (-544) in /etc/group, and SYSTEM (-18) in both /etc/group and /etc/passwd, right? Yes. I'm just wondering if we shouldn't check for the Admins group only. The token of the SYSTEM user always contains the Admins group and the cyg_server (or

Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

On Aug 7 12:59, Charles Wilson wrote: > Corinna Vinschen wrote: >>> We can require Administrators (-544) in /etc/group, and SYSTEM (-18) in >>> both /etc/group and /etc/passwd, right? >> Yes. I'm just wondering if we shouldn't check for the Admins group >> only. The token of the SYSTEM user alw