On Jan 24 16:43, Gordon Messmer wrote: > On 01/08/2010 06:59 AM, Corinna Vinschen wrote: > >I can't reproduce this one, but I can reproduce the other problem > >with pubkey authentication reported in this thread: > ... > > I appreciate the time you took to explain this problem. I've been > working on it for a while, and still can't get it right. > > >If you're running in a domain, then the account running the sshd service > >must be a member of the domain as well. Instead of creating a local > >cyg_server account, you must create a domain account called cyg_server > >with the specific rights required to create a user token, add it to the > >/etc/passwd file of the machine on which you want to install sshd, and > >*then* run ssh-host-config on that machine. > > I've created a "cyg_server" account on my domain controller and > added it to the password file using: > > mkpasswd -d -u cyg_server >> /etc/passwd > > First I tried granting the required permissions manually in the > domain policy. When that didn't work, I used "editrights" as in > cygwin-service-installation-helper.sh to set the rights in the local > policy. As far as I can tell, I get identical results. > > Rights during my most recent test were: > > $ editrights.exe -l -u cyg_server > SeAssignPrimaryTokenPrivilege > SeCreateTokenPrivilege > SeTcbPrivilege > SeServiceLogonRight > SeDenyRemoteInteractiveLogonRight
The cyg_server user is hopefully in the Administrators group... Here's what I did. I created cyg_server as admin account in the domain, then I created a global policy which adds the cyg_server user to the following user rights: Act as part of the operating system (SeTcbPrivilege) Create a token object (SeCreateTokenPrivilege) Replace a process level token (SeAssignPrimaryTokenPrivilege) At last I made sure the global policy gets propagated to all domain machines. That's all. From this time on I could use the domain cyg_sever user on all my domain member machines, assuming I added it to /etc/passwd before starting ssh-host-config. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
