This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

RE: cron problem with authentication

From: Igor Pechtchanski <pechtcha at cs dot nyu dot edu>
To: Mike Kenny - BCX - Mngd Services <Mike dot Kenny at bcx dot co dot za>
Cc: cygwin at cygwin dot com
Date: Thu, 27 May 2004 10:24:37 -0400 (EDT)
Subject: RE: cron problem with authentication
References: <A2AE62FF85AEAC4BA3DE695E3C237D110AD47F@exmid04.africa.enterprise.root>
Reply-to: cygwin at cygwin dot com

On Thu, 27 May 2004, Mike Kenny - BCX - Mngd Services wrote:

> > From: Larry Hall [mailto:cygwin-lh@XXXXXX.XXX]

<http://cygwin.com/acronyms/#PCYMTNQREAIYR>.

> > At 03:52 AM 5/26/2004, you wrote:
> > >I previously posted a problem where a job failed attaching to an MQ
> > >Q Manager when run from cron. The explanation that was provided
> > >was that because MQ authenticates the user using the NT services
> > >and cron had had to su to that user, bypassing these services, that
> > >the user running the job did not then have the correct credentials.
> > >
> > >This sounds plausible and certainly explains the behaviour I see, but
> > >what would be involved in cron checking to see under which user the
> > >cygwin session is running and if this is the same user as the cygwin
> > >cron service is running under. If they are the same then do not do
> > >the change of user? Would this enable the cron job to run with the
> > >correct credentials? Or am I totally misunderstanding the problem?
> > >I admit that I know little or nothing about either Windows security
> > >or how cygwin interacts with it.
> > >
> > >Thanks for any comments on this
> >
> >
> > In the default installation, the user doing the "su" (as you refer to
> > it) is the SYSTEM user.  The SYSTEM user has no access to remote SMB
> > shares. So your idea doesn't work because it assumes something that
> > isn't true.
> >
> > One possible alternative is to run cron as the user you want to run
> > jobs as.  I don't recall, off-the-top-of-my-head, whether cron assumes
> > that it will run as SYSTEM and, if so, this approach probably wouldn't
> > work without changing the code.  Another alternative might be to use a
> > service which allows accessing remote directories without requiring
> > Windows authentication (i.e. not SMB).
>
> Larry, first, thanks for taking the time to respond. Possibly I do not
> understand your comments, but I am confused by the reference to shares.
> I have a situation where, on the windows side, cron is running as user
> 'mqdisp'. This user is a member of the mqm group (required for MQ Series)
> and is an Administrator with permissions to log in as a service and to act
> as part of the Operating System. On the cywin side, mqdisp is the user that
> is trying to run the cron job that attaches to MQ Series. My event log is
> showing me the following:
>
>  [754] MQSeries
>    Type:     WARNING
>    Computer: TEST1
>    Time:     2004/05/27 10:50:14   ID:       8074
> Authorization failed as the SID 'S-1-5-21-776561741-1935655697-1343024091-1007' does not match the entity 'system'.
>   The Object Authority Manager received inconsistent data - the supplied SID does not match that of the supplied entity information.
>   Ensure that the application is supplying valid entity and SID information.
>
> While /etc/passwd has the following:
>
> SYSTEM:*:18:544:,S-1-5-18::
> mqdisp:unused_by_nt/2000/xp:1007:513:mqdisp,U-TEST1\mqdisp,S-1-5-21-776561741-1935655697-1343024091-1007:/home/mqdisp:/bin/bash
>
> The PS shows that cron is running as SYSTEM, and it seems that it is trying
> to use mqdisp's credentials to authenticate system.
>
> I hope the above better explains my problem.

Did you look at <http://cygwin.com/cygwin-ug-net/ntsec.html#NTSEC-SETUID>?

> BTW, is there some way that I can login as 'system'? This might provide a
> way around this problem.

There is, but I doubt it'd be helpful.  That said, Google for
"system-owned shell cygwin".

> Thanks for any input to this

Just try what's already been suggested -- run the cron daemon as mqdisp
(if that's the only thing you're using cron for) by using the --user and
--passwd options to cygrunsrv.
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha@cs.nyu.edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor@watson.ibm.com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

References:
- RE: cron problem with authentication
  - From: Mike Kenny - BCX - Mngd Services

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]