On Jun 8 01:33, Daniel Colascione wrote: > On 6/7/2013 11:55 PM, Daniel Colascione wrote: > > (By the way: how on earth does logon eventually succeed if group enumeration > > fails? I'm using the stored-password authentication method, and when sshd > > eventually connects, my user (according to whoami.exe /priv) is a member of > > the > > groups I expect.) > > Ah, I found http://cygwin.com/ml/cygwin/2009-06/msg00828.html. sshd is just > getting a truncated group list from initgroups while checking ~/.ssh > permissions, which still happens to work fine in my case, the logon delay > aside. > > Changing openssh to call setgroups only after calling seteuid might help (so > we'd retrieve the group list in the context of our new user), but because > get_groups calls deimpersonate before talking to the server, that wouldn't > actually work. > > What about something like this?
Hmm. I'm not so sure. I think it's a bit of a hack to depend on the availability of the LSA private key entry for this part of the code. Actually, the problem you have is based on the fact that you're using a machine-local cyg_server account to run sshd. In domain environments it's prudent to create such an account in AD and add a matching group policy to make sure that account has the required rights on the machines which are supposed to run sshd. I created a short FAQ entry once, http://cygwin.com/faq.html#faq.using.sshd-in-domain What probably *does* make sense is not to call get_logon_server twice if the first call returned with ERROR_ACCESS_DENIED. That requires only a bit of minor code rearranging. I'll prepare something today or tomorrow. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
