This is the mail archive of the
mailing list for the Cygwin project.
Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)
- From: Serban Simu <serban at asperasoft dot com>
- To: cygwin at cygwin dot com
- Date: Sun, 01 Oct 2006 20:47:10 -0700
- Subject: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)
I got a chance to test the snapshot 2006-09-07. It does behave
differently, but still doesn't solve the problem. whoami now shows user
nt authority\system, whereas before the patch it showed sshd_server.
Both the snapshot and 1.5.21 show the correct SID for the domain user.
I also verified that if I add the user name explicitly to /etc/group for
each group it belongs to, other than the primary group, whoami reports
the correct domain user and access to network resources works properly.
Also, users that don't belong to any groups other than their primary
group (which seems to be Domain Users by default), don't exhibit this
problem (this is just a particular case of the previous statement).
Attached is the whoami output for the Windows 2003 computer running
1.5.21 plus the snapshot. If I can be of any help narrowing this down,
please let me know.
From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
To: cygwin at cygwin dot com
Date: Thu, 31 Aug 2006 18:13:55 +0200
Subject: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami
sshd_server (password auth)
Reply-to: cygwin at cygwin dot com
On Aug 30 14:05, Serban Simu wrote:
So my questions would be:
(1) I did find a work around, but what is the explanation of this
problem and what is a good, solid work around?
After some debugging I found that the explanation is that sshd drops
all supplementary groups from the otherwise privileged user token. This
results in a minimized user token when calling initgroups, which
in turn calls NetUserGetGroups, which in turn returns "Access denied".
The solution is to drop back to the original process token before
calling NetUserGetGroups from initgroups. I've checked in a patch
which should be available in the next developers snapshot from
A solid workaround if you're trying to get the same with the current
Cygwin: Add all users which want to log in this way to the gr_mem
field of the approrpiate groups in /etc/group. In your example case,
it would look like this:
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
- Serban Simu
Aspera Inc., Berkeley CA http://www.asperasoft.com
firstname.lastname@example.org (510) 849-2386
Last login: Fri Sep 29 11:16:35 2006 from olp
$ c:/windows/system32/whoami.exe /all
User Name SID
nt authority\system S-1-5-21-4293257363-1756470469-1603820055-1107
Group Name Type SID Attributes
================================ ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
Privilege Name Description State
======================= ======================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html