This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Unable to run sshd under a domain sshd_server account


I am having problems setting up sshd to run under a domain sshd_server
account instead of a local sshd_server account.

Why do I want to do that?  Because in the default install, starting a
cygwin shell from the console gives me a much different environment and
permissions than if I start a cygwin shell via ssh.  For example, from a
console shell on the Windows 2003 Server:
  $ echo $USER
  tschutter
  $ echo $USERNAME
  tschutter
  $ echo $HOSTNAME
  fdsvbld01sgrape
  $ echo $USERDOMAIN
  FLOODDATA
  $ id
  uid=18718(tschutter) gid=10513(Domain Users)
groups=544(Administrators),545(Users),10513(Domain
Users),18169(FDSV-GG-PrxBLD),22611(FDSV-GG-PrxPCAdmins)
  $ ls //other/f$
  Data          RECYCLER        System\ Volume\ Information

But when I login via ssh:
  $ echo $USER
  tschutter
  $ echo $USERNAME
  sshd_server
  $ echo $HOSTNAME
  fdsvbld01sgrape
  $ echo $USERDOMAIN
  FDSVBLD01SGRAPE
  $ id
  uid=18718(tschutter) gid=10513(Domain Users)
groups=545(Users),10513(Domain Users)
  $ ls //other/f$
  ls: cannot access //other/f$: Permission denied

The sshd server was setup using "ssh-host-config --yes". So it appears
that when I login via ssh, I am logged in as a local user, not a domain
user.  Also, when logged in via ssh, I am not in the Administrators,
FDSV-GG-PrxBLD, and FDSV-GG-PrxPCAdmins groups.  As a side note, I would
think that USERNAME being set to sshd_server is a bug.

It appears that the solution is to create a domain sshd_server account
and run sshd as that user.  So I created a domain account called
"fdsv-sa-prx-sshdsrvr".  I gave this account the required rights:
  $ editrights -a SeCreateTokenPrivilege -u fdsv-sa-prx-sshdsrvr
  $ editrights -a SeTcbPrivilege -u fdsv-sa-prx-sshdsrvr
  $ editrights -a SeDenyInteractiveLogonRight -u fdsv-sa-prx-sshdsrvr
  $ editrights -a SeDenyNetworkLogonRight -u fdsv-sa-prx-sshdsrvr
  $ editrights -a SeDenyRemoteInteractiveLogonRight -u
fdsv-sa-prx-sshdsrvr
  $ editrights -a SeIncreaseQuotaPrivilege -u fdsv-sa-prx-sshdsrvr
  $ editrights -a SeServiceLogonRight -u fdsv-sa-prx-sshdsrvr

I added fdsv-sa-prx-sshdsrvr to local "Administrators" group.

I changed the ownership of the /etc/ssh files and /var/empty:
  $ chown fdsv-sa-prx-sshdsrvr /etc/ssh* /var/empty

I changed the log on account for the "CYGWIN sshd" service to the
fdsv-sa-prx-sshdsrvr account.

I then tried to start the service:
  $ net start sshd
  The CYGWIN sshd service is starting.
  The CYGWIN sshd service could not be started.

  The service did not report an error.

  More help is available by typing NET HELPMSG 3534.

The application event log has this error message:
  The description for Event ID ( 0 ) in Source ( sshd ) cannot be found.
The local computer may not have the necessary registry information or
message DLL files to display messages from a remote computer. You may be
able to use the /AUXSOURCE= flag to retrieve this description; see Help
and Support for details. The following information is part of the event:
sshd: PID 2068: service `sshd' failed: signal 11 raised.

I have attached the output from "cygcheck -s -v -r" as
grape-cygcheck.out.

So where do I go from here?  What am I missing?

--
Tom Schutter
First American - Proxix Solutions
(512) 977-6822


Attachment: grape-cygcheck.out
Description: grape-cygcheck.out

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]