Re: SSHD user-switching under Cygwin/XP (was Re: Case insensitivity ad nauseum)

[Derek Robert Price]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Max Bowsher wrote:

>Derek Robert Price wrote:
>
>>My research so far leads me to believe that the problem is that the
>>Local System Account does not have permission to access the drive.
>
>...
>
>>>>it set up for nightly testing (if anyone knows how to get Cygwin sshd to
>>>>allow access to a mounted Samba share via its login shell, I could use
>>>>some assistance).
>
>
>I haven't been following the case-insensitivity thread, but is this the
>problem:
>
>You are logging in to Cygwin sshd using publickey auth (i.e. no password),
>and you cannot access a Samba/Windows share that your user should be able
>to?


Yes.

>If so, the explanation is this:
>
>sshd runs as the Windows SYSTEM user (or other user with sufficient rights)
>to create Windows authentication tokens. These are fully valid on the local
>machine, *but* if you do not log in with a password, the token does not
>contain a password (because there is no way to know what it is - it is
>hashed in the Windows password database). Therefore, no password =
unable to
>authenticate to remote machines, therefore unable to access network shares.
>
>There is no elegant solution. Inelegant solutions include:
>* Only log into sshd with a password.


I can't.  I want to make this part of hte automated nightly testing and
currently, for security reasons, the testing account doesn't even have a
password.

>* Put your password into a file only readable by you, and use it with the
>Windows "net use" command during your .profile, to connect to the network
>share.


It took me some time to figure out the syntax, but I've now tried
various permutations of net use.  I mostly am causing it to generate a
lot of system errors:

> address@hidden ~
> $ net use z: '\\empress\oberon' /user:oberon 'password'
> System error 5 has occurred.
>
> Access is denied.
>
>
> address@hidden ~
> $


and

> address@hidden ~
> $ net use '\\empress\oberon' /user:address@hidden 'password'
> System error 86 has occurred.
>
> The specified network password is not correct.
>
>
> address@hidden ~
> $ net use '\\empress\oberon' /user:oberon 'password'
> System error 1312 has occurred.
>
> A specified logon session does not exist. It may already have been
> terminated.
>
>
> address@hidden ~
> $ net use z: '\\empress\oberon' /user:oberon
> Enter the password for 'oberon' to connect to 'empress': Enter the
> password for
> 'oberon' to connect to 'empress': System error 5 has occurred.
>
> Access is denied.
>
> The password is invalid for \\empress\oberon.
>
>
>
>
> address@hidden ~
> $ net use z: '\\empress\oberon' /user:oberon
> Enter the password for 'oberon' to connect to 'empress': Enter the
> password for
> 'oberon' to connect to 'empress': System error 5 has occurred.
>
> Access is denied.
>
> The password is invalid for \\empress\oberon.
>
>
>
>
> address@hidden ~
> $ net use z: '\\empress\oberon' /user:oberon 'password'
> System error 5 has occurred.
>
> Access is denied.
>
>
> address@hidden ~
> $


Note that in the cases where I do not supply a password, the prompt that
is presented times out with the error message in milliseconds.  There is
not nearly enough time for me to even hit a key.

SSHD does appear to be performing the user switch correctly.  I think
that is the reason I show up in the Administrators group, and I can
access my local files:

> address@hidden ~
> $ id
> uid=1009(oberon) gid=513(None)
> groups=513(None),544(Administrators),545(Users)
>
> address@hidden ~
> $


When the drive is already mounted from the XP desktop, the following
command claims to work:

> address@hidden ~
> $ net use z:
> Local name        z:
> Remote name       \\Empress\oberon
> Resource type     Disk
> The command completed successfully.
>
>
> address@hidden ~
> $


But the drive still doesn't appear, even after issuing mount commands:

> address@hidden ~
> $ ls /cygdrive/
> c
>
> address@hidden ~
> $ ls /cygdrive/z/
> ls: /cygdrive/z/: No such file or directory
>
> address@hidden ~
> $


I will note that `net use' still reports the Z: drive is inaccessible
after the previous command returns success:

> address@hidden ~
> $ net use
> New connections will be remembered.
>
>
> Status       Local     Remote                    Network
>
>
-
-------------------------------------------------------------------------------
> Unavailable  Z:        \\Empress\oberon          Microsoft Windows Network
> The command completed successfully.
>
>
> address@hidden ~
> $


Any more hints?

Regards,

Derek

- --
                *8^)

Email: address@hidden

Get CVS support at <http://ximbiot.com>!
- --
Were it left for me to decide whether we should have a government
without newspapers, or newspapers without a government, I should not
hesitate a moment to prefer the latter.
            - Thomas Jefferson
            (appeared
                         http://hotwired.lycos.com/special/lawsuit/ )
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQE/0M7ELD1OTBfyMaQRAkMGAKDV6wXX6IRA6I0L5mmPLgKFOIaJCQCdH1EW
HbrBiZtc91TIL02Rv3Hq8do=
=ZGcB
-----END PGP SIGNATURE-----