Corrina, On Fri, Oct 26, 2001 at 08:00:24PM +0200, Corinna Vinschen wrote: > On Thu, Oct 25, 2001 at 02:12:44PM -0400, Jason Tishler wrote: > > I know that it has been noted that one cannot access network shares from > > a ssh login due to running under the LocalSystem account. But, I was > > surprised by the chown and start/stop service restrictions since I > > perceived them to be local operations. > > I'm surprised, too. I don't have a domain environment so I can't > test that further. Are you sure that you're not just restricted > due to either having /etc/passwd or /etc/group not setup correctly
AFAICT, I have set up my passwd/group file correctly. The procedure that I use in a domain environment is execute mkpasswd/mkgroup -l and then append the appropriate entries from mkpasswd/mkgroup -d. > or actually having restrictions due to domain policy? I'm not sure what you mean by "domain policy." Can a Windows domain policy cause the restrictions being observed? Nevertheless, I now better understand why chown was not working under ssh via key exchange: $ ssh tishlmob2d1m701 id uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),545(Users),10513(Domain Users),12093(Software Engineering) Note that Windows does not think that I am in the local Administrators group. Hence, I'm not able to chown, net start/stop, etc. But, if I ssh via password exchange: $ ssh -1 tishlmob2d1m701 id jtishler@tishlmob2d1m701's password: uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),544(Administrators),545(Users),10513(Domain Users),12093(Software Engineering) then Windows does. Why? Unfortunately, I don't (currently) know. Here is another example: $ ssh raidboston id uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),545(Users),10513(Domain Users),12093(Software Engineering $ ssh -1 raidboston id jtishler@raidboston's password: uid=12986(jtishler) gid=10513(Domain Users) groups=0(Everyone),544(Administrators),545(Users),1001(cvs-change-local),1000(cvsfull-local),10513(Domain Users),12093(Software Engineering) Note that cvs-change-local and cvsfull-local are local groups. So, it appears that when one uses ssh key exchange to a domain machine, then Windows does not think that the user is a member of any local group except possibly Everyone. Is Everyone a local or domain group? BTW, the local group membership problem also affects cron usage in domain environments -- to no great surprise. Jason -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
