Re: CSIH patch (Re: Unable to run sshd under a domain sshd_server account [SOLVED])

Sat, 19 Jul 2008 09:52:26 -0700 

Corinna Vinschen wrote:

Oh, btw., Charles, that's one for you.

On Jun 16 23:01, Corinna Vinschen wrote:

On May 13 11:09, Schutter, Thomas A. wrote:
The problem was that the domain sshd_server account has no right to
access the domain controller from the network.  Solution: Open the Local
Security Policy of the DC and look for the User Right "Deny access to
this computer from the network".  You'll find your sshd_server user in
there.  Remove it from this user right.  Try again:


This user right shouldn't be set anymore in the
csih/cygwin-service-installation-helper.sh script.  Patch follows:

        * Don't disallow network logon for service user account.


Here's the patch I applied, for csih-0.1.5:

--
Chuck


diff -u -r1.7 -r1.8
--- cygwin-service-installation-helper.sh       14 Apr 2008 18:36:05 -0000      
1.7
+++ cygwin-service-installation-helper.sh       19 Jul 2008 16:40:31 -0000      
1.8
@@ -1636,14 +1636,13 @@
           # user not in Administrators group
           return 1
         else
-          editrights -l -u "${user}" | fgrep SeAssignPrimaryTokenPrivilege     
>/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeCreateTokenPrivilege            
>/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeTcbPrivilege                    
>/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeDenyInteractiveLogonRight       
>/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeDenyNetworkLogonRight           
>/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeDenyRemoteInteractiveLogonRight 
>/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeIncreaseQuotaPrivilege          
>/dev/null 2>&1 &&
-          editrights -l -u "${user}" | fgrep SeServiceLogonRight               
>/dev/null 2>&1
+          editrights -u "${user}" -t SeAssignPrimaryTokenPrivilege     
>/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeCreateTokenPrivilege            
>/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeTcbPrivilege                    
>/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeDenyInteractiveLogonRight       
>/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeDenyRemoteInteractiveLogonRight 
>/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeIncreaseQuotaPrivilege          
>/dev/null 2>&1 &&
+          editrights -u "${user}" -t SeServiceLogonRight               
>/dev/null 2>&1
           return # status of previous command-list
         fi
       fi
@@ -2106,7 +2105,6 @@
         editrights -a SeCreateTokenPrivilege -u ${username} &&
         editrights -a SeTcbPrivilege -u ${username} &&
         editrights -a SeDenyInteractiveLogonRight -u ${username} &&
-        editrights -a SeDenyNetworkLogonRight -u ${username} &&
         editrights -a SeDenyRemoteInteractiveLogonRight -u ${username} &&
         editrights -a SeIncreaseQuotaPrivilege -u ${username} &&
         editrights -a SeServiceLogonRight -u ${username} &&


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply via email to