On 6/24/2010 9:24 AM, Robert Jacobson |cygwin/Example Allow| wrote: > I need some help to get sshd working so that when I login using > public-key auth to my domain account (which has local administrator > privileges), it actually has the Adminisitrator privs. > > The platform is Windows XP Pro, joined to a domain. > > C. Vinschen already kindly pointed me to the FAQ, here: > http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain > > but I think I'm missing something about the setup, or done it wrong. > > I created a domain account, we'll call it "cyg_server" for convenience. > > I have a GPO that defines the "cyg_server" User Right Assignments so > that it can "Act as part of the operating system", "Act as part of the > operating system", and "Replace a process level token". I also placed > cyg_server in the local Administrators group. > > I've confirmed the GPO is applied successfully. The cyg_server account > appears in the correct areas when I look at "gpedit.msc". > > Where I think I'm failing is the setup for ssh-host-config. I tried: > > ssh-host-config -u cyg_server -p 'password' --privileged > > First, I'm warned that I don't need a privileged account because I'm not > running W2k3, Vista, etc. (The FAQ specifically says to use a different > account, so this seems contradictory, yes?) > > Also, I get: > *** Warning: Privileged account 'cyg_server' was specified, > *** Warning: but it does not have the necessary privileges. > *** Warning: Continuing, but will probably use a different account. > *** Warning: The specified account 'cyg_server' does not have the > *** Warning: required permissions or group memberships. This may > *** Warning: cause problems if not corrected; continuing... > > It installed the service, but the service did not start, due to a login > failure. > > I can login to the account using > runas /user:domain\cyg_server cmd > just fine. I'm sure the password I specified was correct. > > I opened the Service configuration GUI, and just in case, I pasted the > password into the proper spot. The GUI responded with (paraphrase) > "cyg_server" has been granted the "Logon as a service" right. > > The service then started successfully. So, did I miss something, or > does that mean the FAQ should include "Logon as a service" in the needed > user rights? > > In any case, although the service now starts successfully (running under > the cyg_server account), when I login via SSH (either password OR public > key), I do NOT have Administrator privileges; i.e. according to the 'id' > commmand, I'm not in group "544(Administrators)". I'm not even in the > regular "Users" group! > > Obviously I've done something wrong... Help, please! >
I'm responding to my own post -- from nearly a year ago -- because I finally learned how to configure sshd so that I get the right permissions for my administrator account. The fix was simple -- I just ran "cyglsa-config" and rebooted. I had no idea "cyglsa" existed until I tried to get cron working the other day and saw it in a follow-up post. The "id" command now shows the exact same output in the console terminal and when I login via SSH. I propose that you add this to the FAQ at: http://cygwin.com/faq/faq-nochunks.html#faq.using.sshd-in-domain possibly with a note about the necessity of rebooting after cygwin updates if you use cyglsa. Is there some reason (other than the reboot-after-cygwin-update requirement) that "ssh-host-config" doesn't automatically run cyglsa-config as well? Or at least warn you that you won't get the right group membership without it? -- Robert Jacobson -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
