This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)

I got a chance to test the snapshot 2006-09-07. It does behave differently, but still doesn't solve the problem. whoami now shows user nt authority\system, whereas before the patch it showed sshd_server. Both the snapshot and 1.5.21 show the correct SID for the domain user.

I also verified that if I add the user name explicitly to /etc/group for each group it belongs to, other than the primary group, whoami reports the correct domain user and access to network resources works properly. Also, users that don't belong to any groups other than their primary group (which seems to be Domain Users by default), don't exhibit this problem (this is just a particular case of the previous statement).

Attached is the whoami output for the Windows 2003 computer running 1.5.21 plus the snapshot. If I can be of any help narrowing this down, please let me know.

- Serban

From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
To: cygwin at cygwin dot com
Date: Thu, 31 Aug 2006 18:13:55 +0200
Subject: Re: 1.5.21: Win 2003 R2 domain user ssh shows whoami sshd_server (password auth)
References: < <> <>>
Reply-to: cygwin at cygwin dot com

On Aug 30 14:05, Serban Simu wrote:

So my questions would be:

(1) I did find a work around, but what is the explanation of this
problem and what is a good, solid work around?

After some debugging I found that the explanation is that sshd drops
all supplementary groups from the otherwise privileged user token. This results in a minimized user token when calling initgroups, which
in turn calls NetUserGetGroups, which in turn returns "Access denied".
The solution is to drop back to the original process token before
calling NetUserGetGroups from initgroups. I've checked in a patch
which should be available in the next developers snapshot from

A solid workaround if you're trying to get the same with the current
Cygwin:  Add all users which want to log in this way to the gr_mem
field of the approrpiate groups in /etc/group.  In your example case,
it would look like this:

Test Users:S-1-5-21-4293257363-1756470469-1603820055-1123:11123:test1


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

- Serban Simu
 Aspera Inc., Berkeley CA          (510) 849-2386

C:\aspera>ssh serban@
serban@'s password:
Last login: Fri Sep 29 11:16:35 2006 from olp

serban@olp-w2003 ~
$ c:/windows/system32/whoami.exe /all


User Name           SID
=================== ==============================================
nt authority\system S-1-5-21-4293257363-1756470469-1603820055-1107


Group Name                       Type             SID          Attributes
================================ ================ ============ ==================================================
Everyone                         Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
LOCAL                            Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE         Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                    Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group


Privilege Name          Description              State
======================= ======================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled

Unsubscribe info:
Problem reports:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]