Ping a Specific Port

Question

UrkoM

Asked: 2013-05-07 22:46:35 +0800 CST2013-05-07 22:46:35 +0800 CST 2013-05-07 22:46:35 +0800 CST

SeTcbPrivilege not working, RSoP.msc, gpresult show it's enabled, whoami /priv shows disabled

772

I'm trying to install Cygwin with SSHd on a Windows Server 2008 R2 domain controller. I have installed Cygwin and SSHd several times on other machines, with no issues. Being a domain controller, the cyg_server user is part of the domain. I have enabled SeTcbPrivilege on the Group Policy for Domain Controllers for DOMAIN\cyg_server, but it's somehow not applying.

The output of gpresult /v is:

        GPO: Default Domain Controllers Policy
            Policy:            TcbPrivilege
            Computer Setting:  Administrators
                               DOMAIN\cyg_server
                               DOMAIN\Domain Admins

Running RSoP.msc is consistent with gpresult, and also shows that those groups and the cyg_server user should have TcbPrivilete.

But the output of whoami /priv shows SeTcbPrivilege "Disabled":

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                   State
=============================== ======================================================== ========
<...>
SeTcbPrivilege                  Act as part of the operating system
               Disabled
<...>

I can start the Cygwin SSHd service, but I can only log on as cyg_server. When I try to log on as Administrator, I see this:

urkom@workstation:~$ ssh Administrator@domaincontroller
Administrator@domaincontroller's password: 
Last login: Tue May  7 13:26:29 2013 from 172.1.10.22
/bin/bash: Operation not permitted
Connection to domaincontroller closed.

For reference, here is the relevant line of /etc/passwd:

Administrator:unused:500:513:Administrator,U-DOMAIN\Administrator,S-1-5-21-3835976426-429400520-196227251-500:/home/Administrator:/bin/bash

I'm stuck, so any help would be welcome. Thank you.

2 Answers

Voted

UrkoM · Answer 1 · 2013-05-08T00:50:26+08:00

UrkoM

2013-05-08T00:50:26+08:002013-05-08T00:50:26+08:00

Ok, yes, that was quite dumb on my side... :)

The official documentation actually has all the information that you need: http://www.cygwin.com/faq/faq.using.html#faq.using.sshd-in-domain

To make Cygwin SSHd work, I had to add the third permission of that list "Replace a process level token":

Act as part of the operating system (SeTcbPrivilege)
Create a token object               (SeCreateTokenPrivilege)
Replace a process level token       (SeAssignPrimaryTokenPrivilege)

Now SSH login works! Yay!

3

Stephane · Answer 2 · 2013-05-07T23:02:03+08:00

Stephane

2013-05-07T23:02:03+08:002013-05-07T23:02:03+08:00

When you say "Administrator@domaincontroller", you mean you're trying to perform a logon against the local administrator account on the machine ? That will not work on a DC because there is NO local account any more on a DC: you need to perform a logon using the AD administrator.

0

SeTcbPrivilege not working, RSoP.msc, gpresult show it's enabled, whoami /priv shows disabled

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?