This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: 1.5.20: supplementary groups not initialized via ssh when PDC is down

From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
To: cygwin at cygwin dot com
Date: Thu, 6 Jul 2006 10:56:49 +0200
Subject: Re: 1.5.20: supplementary groups not initialized via ssh when PDC is down
References: <200607052018.k65KIvlv026597@phumos.tgtaft.emc.com>
Reply-to: cygwin at cygwin dot com

On Jul  5 15:18, theo0@krumvieda.com wrote:
> Hi there:
> 
> I have cygwin installed on an XP machine in a domain controlled by a
> PDC and a single BDC (both DCs run W2K).  When the PDC is up,
> everything runs perfectly fine.  However, when the PDC is down
> (leaving just the BDC), we are having problems with remote ssh logins:
> 
>  o If I login via ssh while the PDC is down, "/bin/id" shows only the
>    default group, not any of the supplementary groups (this also shows
>    up in the output of "cygcheck" below).  There are other things that
>    fail too, e.g., anything that requires administrator privileges
>    ("nbtstat -c"), presumably because the shell doesn't think I'm a
>    domain admin.
> 
>     -bash-3.1$ /bin/id
>     uid=11116(cliff) gid=11194(user) groups=11194(user)
> 
>  o If I login to Windows while the PDC is down, then start a cygwin
>    shell by double clicking on the cygwin icon, everything works as
>    expected.
> 
>      -bash-3.1$ /bin/id
>      uid=11116(cliff) gid=11194(user) groups=11134(clearcase),10512(Domain Admins),10513(Domain Users),11194(user)
> 
>  o If I login via ssh while the PDC is up, "/bin/id" shows all groups
>    and everything works as expected.
> 
>      -bash-3.1$ /bin/id
>      uid=11116(cliff) gid=11194(user) groups=11134(clearcase),10512(Domain Admins),10513(Domain Users),11194(user)
> 
> Any idea why the supplementary groups aren't being initialized when
> the PDC is down?  Do I have something configured incorrectly?

When logging in via ssh, ssh calls initgroups().  Cygwin's initgroups
assembles the user's group list basically like this:

- Get list of domain groups the user is member in.
- Get list of local groups the user is member in.,
- Get list of groups from /etc/group in which the user is mentioned in
  the gr_mem fields.
- Fold groups into a list of groups with no doubles.

The first step is working by contacting the PDC.  If the PDC isn't
available, there's no domain group list.  Cygwin does not try to contact
any secondary domain server right now.

To circumvent the situation you're describing above, you can add the
user(s) to the appropriate groups in /etc/group.  For instance:

Domain Admins:S-1-5-21-1154851028-2324800110-1472610766-512:10512:cliff,corinna

This allows the necessary domain group memberships even if the PDC is
not available.


HTH,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

References:
- 1.5.20: supplementary groups not initialized via ssh when PDC is down
  - From: theo0

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]