SSHd configuration problems (System error 1376)

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

SSHd configuration problems (System error 1376)

PolarStorm
So it's that time of the year again, when one need to install SSHd on some machine...
and as usual (?) that's when the Cygwin ssh-host-config script fails. I say as usual,
because last time I posted to these forums it was the same problem. So I must
really question whether or not the Cygwin developers actually test their latest
updates before releasing?

Anyway, here we go:
#==========================================================
$ ssh-host-config

*** Info: Generating missing SSH host keys
ssh-keygen: generating new host keys: RSA1 RSA DSA ECDSA ED25519
*** Info: Creating default /etc/ssh_config file
*** Info: Creating default /etc/sshd_config file

*** Info: StrictModes is set to 'yes' by default.
*** Info: This is the recommended setting, but it requires that the POSIX
*** Info: permissions of the user's home directory, the user's .ssh
*** Info: directory, and the user's ssh key files are tight so that
*** Info: only the user has write permissions.
*** Info: On the other hand, StrictModes don't work well with default
*** Info: Windows permissions of a home directory mounted with the
*** Info: 'noacl' option, and they don't work at all if the home
*** Info: directory is on a FAT or FAT32 partition.
*** Query: Should StrictModes be used? (yes/no) yes

*** Info: Privilege separation is set to 'sandbox' by default since
*** Info: OpenSSH 6.1.  This is unsupported by Cygwin and has to be set
*** Info: to 'yes' or 'no'.
*** Info: However, using privilege separation requires a non-privileged account
*** Info: called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Info: Note that creating a new user requires that the current account have
*** Info: Administrator privileges.  Should this script attempt to create a
*** Query: new local account 'sshd'? (yes/no) yes
*** Info: Updating /etc/sshd_config file

*** Query: Do you want to install sshd as a service?
*** Query: (Say "no" if it is already installed as a service) (yes/no) yes
*** Query: Enter the value of CYGWIN for the daemon: []
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires.  You need to have or to create a privileged
*** Info: account.  This script will help you do so.

*** Info: It's not possible to use the LocalSystem account for services
*** Info: that can change the user id without an explicit password
*** Info: (such as passwordless logins [e.g. public key authentication]
*** Info: via sshd) when having to create the user token from scratch.
*** Info: For more information on this requirement, see
*** Info: https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1

*** Info: If you want to enable that functionality, it's required to create
*** Info: a new account with special privileges (unless such an account
*** Info: already exists). This account is then used to run these special
*** Info: servers.

*** Info: Note that creating a new user requires that the current account
*** Info: have Administrator privileges itself.

*** Info: No privileged account could be found.

*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will only be used by registered services.
*** Query: Do you want to use a different name? (yes/no) no
*** Query: Create new privileged user account 'XXXX\cyg_server' (Cygwin name: 'cyg_server')? (yes/no) yes
*** Info: Please enter a password for new user cyg_server.  Please be sure
*** Info: that this password matches the password rules given on your system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Reenter:
*** Query: Please enter the password:
*** Query: Reenter:

*** Info: User 'cyg_server' has been created with password 'XXXXXX'.
*** Info: If you change the password, please remember also to change the
*** Info: password for the installed services which use (or will soon use)
*** Info: the 'cyg_server' account.

System error 1376 has occurred.

The specified local group does not exist.

*** Warning: Adding user 'cyg_server' to local group 'root' failed!
*** Warning: Please add 'cyg_server' to local group 'root' before
*** Warning: starting any of the services which depend upon this user!
*** ERROR: There was a serious problem creating a privileged user.
*** Query: Do you want to proceed anyway? (yes/no) yes
*** Warning: Expected privileged user 'cyg_server' does not exist.
*** Warning: Defaulting to 'SYSTEM'

*** Info: The sshd service has been installed under the LocalSystem
*** Info: account (also known as SYSTEM). To start the service now, call
*** Info: `net start sshd' or `cygrunsrv -S sshd'.  Otherwise, it
*** Info: will start automatically after the next reboot.

*** Warning: Host configuration exited with 1 errors or warnings!
*** Warning: Make sure that all problems reported are fixed,
*** Warning: then re-run ssh-host-config.
#==========================================================
# We can check what that error means with:

$ NET HELPMSG 1376
The specified local group does not exist.


Now, the reason for that is that there is no "root" group
in Windows. Instead it's called "Administrators". To see
the available local groups, use:

$ NET LOCALGROUP
...
*Administrators
...

To fix this, you have 2 options (choose one):
1) From Windows Users Accounts Control Panel
2) From Cygwin command line

(1) Now open the Windows control panel and navigate to User Accounts.
There you will find a new account called "Priviledged server", which is the
"cyg_server" account. You need to change the account type of that from
"Standard" to "Administrator".

(2) From Cygwin (Administrator) command line (with Windows PATH):

$ net localgroup Administrators sshd /ADD

Once you have completed this, check that the "cyg_server" belong to the
group "Administrators" with:

$ net user cyg_server
...

========================================================
So to summarize, the following issues have not been addressed:

(a) The user "sshd" user account password expires after 42 days.
(b) The user is not part of "Administrator" group, severely limiting its usability.
(c) An artificial 3rd user is still needed to be able to login remotely using SSH,
     if the "regular" Cygwin Windows user have chosen not tu have a passworkd.
(d) The error messages are incomprehensible.
(e) The text "Query: Enter the value of CYGWIN for the daemon: []" is incomprehensible

For everybody convenience, to fix the password expiration (a), use this line:

$ wmic useraccount where "Name='sshd'" set PasswordExpires=FALSE

(The extra quotes there are crucial!)

Happy Holiday Wishes!

# CYGWIN_NT-6.3 xxxx 1.7.33-2(0.280/5/3) 2014-11-13 15:47 x86_64 Cygwin
Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Andrey Repin
Greetings, PolarStorm!

> So to summarize, the following issues have not been addressed:

> (a) The user "sshd" user account password expires after 42 days.

This is your system policy. Never had such issues myself.

> (b) The user is not part of "Administrator" group, severely limiting its
> usability.

It shouldn't.

> (c) An artificial 3rd user is still needed to be able to login remotely
> using SSH,
>      if the "regular" Cygwin Windows user have chosen not tu have a
> passworkd.

This is an operating system restriction, as far as I know.

> (d) The error messages are incomprehensible.

Which error messages?

> (e) The text "Query: Enter the value of CYGWIN for the daemon: []" is
> incomprehensible

On this, I have to agree.

> For everybody convenience, to fix the password expiration (a), use this
> line:

> $ wmic useraccount where "Name='sshd'" set PasswordExpires=FALSE

> (The extra quotes there are crucial!)

> Happy Holiday Wishes!

> # CYGWIN_NT-6.3 xxxx 1.7.33-2(0.280/5/3) 2014-11-13 15:47 x86_64 Cygwin

Is this 8.1 ?


--
WBR,
Andrey Repin ([hidden email]) 13.12.2014, <15:23>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Ken Brown-6
In reply to this post by PolarStorm
On 12/12/2014 8:32 PM, PolarStorm wrote:
> *** Warning: Adding user 'cyg_server' to local group 'root' failed!
> [...]
> Now, the reason for that is that there is no "root" group
> in Windows. Instead it's called "Administrators".

The group is obtained in line 2827 of
/usr/share/csih/cygwin-service-installation-helper.sh:

admingroup=$(/usr/bin/mkgroup -l | /usr/bin/awk -F: '{if ( $2 == "S-1-5-32-544"
) print $1;}')

On my system this yields "Administrators".  Apparently it yields "root" on your
system.  Any idea why?

Ken

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Ilya Dogolazky-3
Hi Ken !

12/13/2014 02:30 PM, ext Ken Brown пишет:

> admingroup=$(/usr/bin/mkgroup -l | /usr/bin/awk -F: '{if ( $2 ==
> "S-1-5-32-544" ) print $1;}')

> On my system this yields "Administrators".  Apparently it yields "root"
> on your system.  Any idea why?

I have the same error message as PolarStorm:
"Adding user 'cyg_server' to local group 'root' failed!"

But when I execute the mkgroup+awk (as above) command I receive
"Administrators"

Even more: the output of the "mkgroup -l" command doesn't contain the
string "root" at all. So I believe the statement "group is obtained in
line ..." can't be quite true. The script finds the word "root" from
somewhere, but surely not from that mkgroup+awk command.

PS I'm trying to run sshd on a fresh installed "Windows 8.1 Enterprise
N" system with fresh installed cygwin64.

Cheers,

Ilya

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Ken Brown-6
On 12/23/2014 8:41 AM, Ilya Dogolazky wrote:

> Hi Ken !
>
> 12/13/2014 02:30 PM, ext Ken Brown пишет:
>
>> admingroup=$(/usr/bin/mkgroup -l | /usr/bin/awk -F: '{if ( $2 ==
>> "S-1-5-32-544" ) print $1;}')
>
>> On my system this yields "Administrators".  Apparently it yields "root"
>> on your system.  Any idea why?
>
> I have the same error message as PolarStorm:
> "Adding user 'cyg_server' to local group 'root' failed!"
>
> But when I execute the mkgroup+awk (as above) command I receive "Administrators"
>
> Even more: the output of the "mkgroup -l" command doesn't contain the string
> "root" at all. So I believe the statement "group is obtained in line ..." can't
> be quite true. The script finds the word "root" from somewhere, but surely not
> from that mkgroup+awk command.
>
> PS I'm trying to run sshd on a fresh installed "Windows 8.1 Enterprise N" system
> with fresh installed cygwin64.

csih has been updated.  The group is now obtained as follows, in lines 2969-2970:

       admingroup=$(/usr/bin/getent group S-1-5-32-544)
       admingroup="${admingroup%%:*}"

This still yields "Administrators" on my system.  I'm using the test release of
cygwin in case that's relevant.

Ken

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

craigmcd
I had the same issue on Windows 2003 32-bit. Without the "-w" option, the only name returned is root, not Administrators:

$ getent -w group S-1-5-32-544
root:0:BUILTIN\Administrators:S-1-5-32-544

$ getent group S-1-5-32-544
root:S-1-5-32-544:0: 

 I had to hack /usr/share/csih/cygwin-service-installation-helper.sh in a couple of places to finally make it work.
$ diff -c cygwin-service-installation-helper.sh.orig cygwin-service-installation-helper.sh
*** cygwin-service-installation-helper.sh.orig	2014-12-27 19:33:51.174250000 -0500
--- cygwin-service-installation-helper.sh	2014-12-27 23:26:51.893000000 -0500
***************
*** 2966,2973 ****
      if [ "$username_in_sam" = "yes" ]
      then
        # always try to set group membership and privileges
!       admingroup=$(/usr/bin/getent group S-1-5-32-544)
!       admingroup="${admingroup%%:*}"
        if [ -z "${admingroup}" ]
        then
          csih_warning "Cannot obtain the Administrators group name from 'mkgroup -l'."
--- 2966,2974 ----
      if [ "$username_in_sam" = "yes" ]
      then
        # always try to set group membership and privileges
!       admingroup=$(/usr/bin/getent -w group S-1-5-32-544)
!       admingroup="${admingroup#*:*:*\\}"
!       admingroup="${admingroup%:*}"
        if [ -z "${admingroup}" ]
        then
          csih_warning "Cannot obtain the Administrators group name from 'mkgroup -l'."
***************
*** 3263,3268 ****
--- 3264,3271 ----
    # is not yet installed, so compute the "expected" account under which
    # privileged services should run.

+   mkpasswd -l > /etc/passwd
+
    # use the following procedure if a privileged account is required:
    if ( csih_is_nt2003 || [ "x$csih_FORCE_PRIVILEGED_USER" = "xyes" ] )
    then
Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Ilya Dogolazky-3
In reply to this post by Ken Brown-6
Hi Ken !

12/23/2014 05:25 PM, ext Ken Brown wrote:
> I'm using the test
> release of cygwin in case that's relevant.

I would like to try this.
How do I install the "test release"?
Is it the same as to select "EXP" instead of "CURR" in the top right
corner of setup.exe GUI or should I do something else?

-- Ilya

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Ken Brown-6
On 12/29/2014 3:15 AM, Ilya Dogolazky wrote:

> Hi Ken !
>
> 12/23/2014 05:25 PM, ext Ken Brown wrote:
>> I'm using the test
>> release of cygwin in case that's relevant.
>
> I would like to try this.
> How do I install the "test release"?
> Is it the same as to select "EXP" instead of "CURR" in the top right corner of
> setup.exe GUI or should I do something else?

That would work, but it would pull in test releases (if they exist) of *all* of
your installed packages, which is probably not what you want.  To install the
test release of the cygwin package alone, locate it in the "Select Packages"
screen.  You should see "Keep" or "1.7.33-1" in the "New" column.  Click on that
word/number until it changes to 1.7.34-003.

Ken

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Ilya Dogolazky-3
Hi Ken!

I followed your advise:
1) Reinstalled windows again
2) Started setup_x86-64.exe from cygwin web site
3) Changed two things in the package list:
  a) Changed version of package cygwin to 1.7.34.003
  b) Marked package "ssh" to be installed
4) After installation started terminal (icon right click -> run as admin)
5) Typed "ssh-host-config -y"
6) Copied the output and attached to this e-mail

The same problem as before:
   System error 1376 has occurred.
   The specified local group does not exist.
   Adding user 'cyg_server' to local group 'root' failed!

:-(

By the way, very first message is quite funny: "it seems your account
does not have these privileges". According to windows UI my account (the
only one on this fresh installed machine) is an administrative one.

Cheers,

Ilya Dogolazky


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

ssh-host-config-y.log (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Ken Brown-6
On 12/29/2014 9:07 AM, Ilya Dogolazky wrote:

> Hi Ken!
>
> I followed your advise:
> 1) Reinstalled windows again
> 2) Started setup_x86-64.exe from cygwin web site
> 3) Changed two things in the package list:
>   a) Changed version of package cygwin to 1.7.34.003
>   b) Marked package "ssh" to be installed
> 4) After installation started terminal (icon right click -> run as admin)
> 5) Typed "ssh-host-config -y"
> 6) Copied the output and attached to this e-mail
>
> The same problem as before:
>    System error 1376 has occurred.
>    The specified local group does not exist.
>    Adding user 'cyg_server' to local group 'root' failed!
>
> :-(
>
> By the way, very first message is quite funny: "it seems your account does not
> have these privileges". According to windows UI my account (the only one on this
> fresh installed machine) is an administrative one.

> $ ssh-host-config -y
>
> *** Warning: Running this script typically requires administrator privileges!
> *** Warning: However, it seems your account does not have these privileges.
> *** Warning: Here's the list of groups in your user token:
>
>     None
>     root
>     Users

This output comes from the following code, starting at line 619:

# Make sure the user is running in an administrative context
admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
if [ "${admin}" != "yes" ]
then
  echo
  csih_warning "Running this script typically requires administrator privileges!"
  csih_warning "However, it seems your account does not have these privileges."
  csih_warning "Here's the list of groups in your user token:"
  echo
  for i in $(/usr/bin/id -G)
  do
    /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \"    \" \$1; }" /etc/group
  done

If you were really running in an elevated shell, I don't know why 544 didn't show up in the output of "id -G".

Ken

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Houder
In reply to this post by PolarStorm
> If you were really running in an elevated shell, I don't know why 544 didn't show up in the output of "id -G".
>
> Ken

Because Ilya's /etc/group file has a line that reads:

root:S-1-5-32-544:0:

in stead of:

Administrators:S-1-5-32-544:544:

?

Put differently, he has copied an old group file from another computer?

Henri





--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Ilya Dogolazky-3
In reply to this post by Ken Brown-6
12/29/2014 06:30 PM, ext Ken Brown пишет:
> If you were really running in an elevated shell, I don't know why 544 didn't show up in the output of "id -G".

But that's exactly what's happening with the testing version of cygwin
DLL (I wrote a bug report as a new mail thread)


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Larry Hall (Cygwin)
In reply to this post by Houder
On 12/29/2014 11:27 PM, Houder wrote:

>> If you were really running in an elevated shell, I don't know why 544
>> didn't show up in the output of "id -G".
>>
>> Ken
>
> Because Ilya's /etc/group file has a line that reads:
>
> root:S-1-5-32-544:0:
>
> in stead of:
>
> Administrators:S-1-5-32-544:544:
>
> ?
>
> Put differently, he has copied an old group file from another computer?

Well, that wouldn't be why 544 didn't show up in the output of "id -G"
if the shell was elevated but root showing up in either of the passwd
or group files is a key indicator that the file was modified by something
other than mkpasswd and mkgroup at one point in the past, yes.


--
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Houder
In reply to this post by PolarStorm
>>>        If you were really running in an elevated shell, I don't know why 544
>>>        didn't show up in the output of "id -G".
>>>
>>>        Ken

>>    Because Ilya's /etc/group file has a line that reads:
>>
>>    root:S-1-5-32-544:0:
>>
>>    in stead of:
>>
>>    Administrators:S-1-5-32-544:544:
>>
>>    ?
>>
>>    Put differently, he has copied an old group file from another computer?

> Well, that wouldn't be why 544 didn't show up in the output of "id -G"
> if the shell was elevated ...

Hi, Larry, yes, it does (could reproduce that on my system - W7)

>                               but root showing up in either of the passwd
> or group files is a key indicator that the file was modified by something
> other than mkpasswd and mkgroup at one point in the past, yes.

Agreed.

Perhaps the real question is why Ilya believes he has no group file? He is quite certain, that he has a clean
installation of Cygwin. If so, I cannot explain the output he got from /usr/bin/ssh-host-config ...

(btw, I cannot explain why ssh-host-config references /etc/group unconditionally; it might not exist, because
 as far as I know ... it will only be there if the user has created the file - starting 1.7.34)

Henri

(my last entry, yes, otherwise I will have to subscribe myself to the list ... yes, I know)


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Corinna Vinschen-2
In reply to this post by Ken Brown-6
On Dec 29 11:30, Ken Brown wrote:

> On 12/29/2014 9:07 AM, Ilya Dogolazky wrote:
> > Hi Ken!
> >
> > I followed your advise:
> > 1) Reinstalled windows again
> > 2) Started setup_x86-64.exe from cygwin web site
> > 3) Changed two things in the package list:
> >   a) Changed version of package cygwin to 1.7.34.003
> >   b) Marked package "ssh" to be installed
> > 4) After installation started terminal (icon right click -> run as admin)
> > 5) Typed "ssh-host-config -y"
> > 6) Copied the output and attached to this e-mail
> >
> > The same problem as before:
> >    System error 1376 has occurred.
> >    The specified local group does not exist.
> >    Adding user 'cyg_server' to local group 'root' failed!
> >
> > :-(
> >
> > By the way, very first message is quite funny: "it seems your account does not
> > have these privileges". According to windows UI my account (the only one on this
> > fresh installed machine) is an administrative one.
>
> > $ ssh-host-config -y
> >
> > *** Warning: Running this script typically requires administrator privileges!
> > *** Warning: However, it seems your account does not have these privileges.
> > *** Warning: Here's the list of groups in your user token:
> >
> >     None
> >     root
> >     Users
>
> This output comes from the following code, starting at line 619:
>
> # Make sure the user is running in an administrative context
> admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
You shouldn't discuss stuff like that when I'm on vacation :)

The aforementioned message is a result of a change in how the function
underlying `id' works.

For a start, the "root" group is created and added to the default
/etc/group file by the base-cygwin package.  I don't remember why we did
that in the first place, but given that /etc/group goes away, so will
the faked "root" group.  The next base-cygwin package will not generate
/etc/passwd or /etc/group file anymore anyway.

Assuming you have a "root" group in /etc/group (usually if you never
regenerated /etc/group), then `id' under 1.7.33 and earlier prints
*both* gids, 0 and 544.  Starting with 1.7.34 it only prints the first
group matching the S-1-5-32-544 SID, which is "0" with the default
/etc/group.

The old getgroups iterated through the groups from /etc/groups, and then
checked for each group if its SID is available in the user's token.

This behaviour only makes sense if there is a self-contained list of
groups in memory.  But the new code doesn't read all of /etc/group, or,
worse, all groups from the Windows account DB.  So the new, more logical
behaviour is to iterate over the groups in the user's token and then
checking for (or generating) a group entry for the SID.  So, in contrast
to the old code, the new code only generates a single group entry per
SID.

I hope we can get over that without having to tweak the ssh-host-config
script to explicitely check for a 0 gid...


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

attachment0 (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Houder
Corinna wrote:

> The aforementioned message is a result of a change in how the function
> underlying `id' works.
[snip]

> The old getgroups iterated through the groups from /etc/groups, and then
> checked for each group if its SID is available in the user's token.
>
> This behaviour only makes sense if there is a self-contained list of
> groups in memory.  But the new code doesn't read all of /etc/group, or,
> worse, all groups from the Windows account DB.  So the new, more logical
> behaviour is to iterate over the groups in the user's token and then
> checking for (or generating) a group entry for the SID.  So, in contrast
> to the old code, the new code only generates a single group entry per
> SID.

... to iterate over the groups in the user's token ...

But, by design, groups NOT present in the group file will NOT be reported
by id, in case the nsswitch.conf file specififies:

# only show me the gid's I am interested in (i.e. those in the group file)
group: files

Correct?

Henri


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Andrey Repin
In reply to this post by Corinna Vinschen-2
Greetings, Corinna Vinschen!

Speaking of ssh-host-config, how to specify domain user to run SSHD, while
setting up the service through script? (Yes, I'm experimenting with snapshot.)


--
WBR,
Andrey Repin ([hidden email]) 08.01.2015, <06:07>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Corinna Vinschen-2
In reply to this post by Houder
On Jan  8 02:38, Houder wrote:

> Corinna wrote:
>
> > The aforementioned message is a result of a change in how the function
> > underlying `id' works.
> [snip]
>
> > The old getgroups iterated through the groups from /etc/groups, and then
> > checked for each group if its SID is available in the user's token.
> >
> > This behaviour only makes sense if there is a self-contained list of
> > groups in memory.  But the new code doesn't read all of /etc/group, or,
> > worse, all groups from the Windows account DB.  So the new, more logical
> > behaviour is to iterate over the groups in the user's token and then
> > checking for (or generating) a group entry for the SID.  So, in contrast
> > to the old code, the new code only generates a single group entry per
> > SID.
>
> ... to iterate over the groups in the user's token ...
>
> But, by design, groups NOT present in the group file will NOT be reported
> by id, in case the nsswitch.conf file specififies:
>
> # only show me the gid's I am interested in (i.e. those in the group file)
> group: files
>
> Correct?
Correct.


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

attachment0 (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Corinna Vinschen-2
In reply to this post by Andrey Repin
On Jan  8 06:09, Andrey Repin wrote:
> Greetings, Corinna Vinschen!
>
> Speaking of ssh-host-config, how to specify domain user to run SSHD, while
> setting up the service through script? (Yes, I'm experimenting with snapshot.)

The ssh-host-config script is supposed to work for simple standalone
environments, not for AD environments.  If you want to use a domain
account, the account must already exist, see

  https://cygwin.com/faq/faq.html#faq.using.sshd-in-domain

The FAQ entry mentions adding the account to /etc/passwd, but that
obviously is not required anymore with 1.7.34 (FAQ needs change).

Also, the current released ssh-host-config script is not 1.7.34-ready.
I sent a few patches upstream already and I was planning to update
the openssh package when I release 1.7.34.

For your convenience, I attached the current upstream ssh-host-config
script.


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

ssh-host-config (27K) Download Attachment
attachment1 (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SSHd configuration problems (System error 1376)

Andrey Repin
Greetings, Corinna Vinschen!

>> Speaking of ssh-host-config, how to specify domain user to run SSHD, while
>> setting up the service through script? (Yes, I'm experimenting with snapshot.)

> The ssh-host-config script is supposed to work for simple standalone
> environments, not for AD environments.  If you want to use a domain
> account, the account must already exist, see

>   https://cygwin.com/faq/faq.html#faq.using.sshd-in-domain

Damn, I didn't though of checking faq. Thanks!

> The FAQ entry mentions adding the account to /etc/passwd, but that
> obviously is not required anymore with 1.7.34 (FAQ needs change).

> Also, the current released ssh-host-config script is not 1.7.34-ready.
> I sent a few patches upstream already and I was planning to update
> the openssh package when I release 1.7.34.

> For your convenience, I attached the current upstream ssh-host-config
> script.

I'll play with it a little, than you again!


--
WBR,
Andrey Repin ([hidden email]) 08.01.2015, <21:41>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

12