Chuck? Ping?
On Dec 19 14:07, Corinna Vinschen wrote:
> Hi Chuck,
>
>
> during some testing I suddenly found that I couldn't start an sshd which
> I had just installed as a service. The reason was that the account I
> was using for the service didn't have the "Logon as service" user right.
> Which was puzzeling given that csih calls editrights to add this user
> right.
>
> It turned out that the following test in cygwin-service-installation-helper.sh
> is incorrect (line 2264):
>
> if ! csih_call_winsys32 net localgroup "${admingroup}" | /usr/bin/grep -Eiq
> "^${user}.?$"
>
> The problem occurs if the user account is a domain account. In that
> case membership in the local administrators group is often only
> indirectly given by being the member in a domain group which in turn
> is member in the Administrators group. Example:
>
> "DOMAIN\user" is member of "DOMAIN\Domain Admins"
> "DOMAIN\Domain Admins" is member of "Administrators"
>
> However, the `net localgroup' command does not resolve group memberships.
> `net localgroup Administrators' on a domain member machine returns:
>
> Alias name Administrators
> Comment [...blah...]
>
> Members
>
> -----------------------------------
> Administrator
> VINSCHEN\Domain Admins
> The command completed successfully.
>
> Calling `net localgroup Administrators /domain' isn't sufficient either,
> since it also doesn't return indirect memberships.
>
> Therefore I think the test for being a member of the admins group is
> invalid and should just go away. The current behaviour is too surprising
> in a domain environment.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
