On Thu, 27 May 2004, Mike Kenny - BCX - Mngd Services wrote:
From: Larry Hall [mailto:[EMAIL PROTECTED]
http://cygwin.com/acronyms/#PCYMTNQREAIYR.
At 03:52 AM 5/26/2004, you wrote:
I previously posted a problem where a job failed attaching to an MQ
Q Manager when run from cron. The explanation that was provided
was that because MQ authenticates the user using the NT services
and cron had had to su to that user, bypassing these services, that
the user running the job did not then have the correct credentials.
This sounds plausible and certainly explains the behaviour I see, but
what would be involved in cron checking to see under which user the
cygwin session is running and if this is the same user as the cygwin
cron service is running under. If they are the same then do not do
the change of user? Would this enable the cron job to run with the
correct credentials? Or am I totally misunderstanding the problem?
I admit that I know little or nothing about either Windows security
or how cygwin interacts with it.
Thanks for any comments on this
In the default installation, the user doing the su (as you refer to
it) is the SYSTEM user. The SYSTEM user has no access to remote SMB
shares. So your idea doesn't work because it assumes something that
isn't true.
One possible alternative is to run cron as the user you want to run
jobs as. I don't recall, off-the-top-of-my-head, whether cron assumes
that it will run as SYSTEM and, if so, this approach probably wouldn't
work without changing the code. Another alternative might be to use a
service which allows accessing remote directories without requiring
Windows authentication (i.e. not SMB).
Larry, first, thanks for taking the time to respond. Possibly I do not
understand your comments, but I am confused by the reference to shares.
I have a situation where, on the windows side, cron is running as user
'mqdisp'. This user is a member of the mqm group (required for MQ Series)
and is an Administrator with permissions to log in as a service and to act
as part of the Operating System. On the cywin side, mqdisp is the user that
is trying to run the cron job that attaches to MQ Series. My event log is
showing me the following:
[754] MQSeries
Type: WARNING
Computer: TEST1
Time: 2004/05/27 10:50:14 ID: 8074
Authorization failed as the SID 'S-1-5-21-776561741-1935655697-1343024091-1007' does
not match the entity 'system'.
The Object Authority Manager received inconsistent data - the supplied SID does
not match that of the supplied entity information.
Ensure that the application is supplying valid entity and SID information.
While /etc/passwd has the following:
SYSTEM:*:18:544:,S-1-5-18::
mqdisp:unused_by_nt/2000/xp:1007:513:mqdisp,U-TEST1\mqdisp,S-1-5-21-776561741-1935655697-1343024091-1007:/home/mqdisp:/bin/bash
The PS shows that cron is running as SYSTEM, and it seems that it is trying
to use mqdisp's credentials to authenticate system.
I hope the above better explains my problem.
Did you look at http://cygwin.com/cygwin-ug-net/ntsec.html#NTSEC-SETUID?
BTW, is there some way that I can login as 'system'? This might provide a
way around this problem.
There is, but I doubt it'd be helpful. That said, Google for
system-owned shell cygwin.
Thanks for any input to this
Just try what's already been suggested -- run the cron daemon as mqdisp
(if that's the only thing you're using cron for) by using the --user and
--passwd options to cygrunsrv.
Igor
--
http://cs.nyu.edu/~pechtcha/
|\ _,,,---,,_[EMAIL PROTECTED]
ZZZzz /,`.-'`'-. ;-;;,_[EMAIL PROTECTED]
|,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D.
'---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster. -- Patrick Naughton
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/