I’m a Unix administrator who also has to work with various MS Windows servers. For various tasks, I’m a lot more productive using the Unix tools that I’m familiar with and for a long time, I’ve been using Cygwin on my local workstation. Now, I’d like to set up Cygwin on certain Windows servers so that I can SSH into them and use the same tools for administrative tasks.
In previous versions, Cygwin would map Windows to POSIX users and permissions from a /etc/passwd and /etc/groups files
but now it directly uses Active Directory on the domain controller to authenticate users. The Cygwin FAQ has been updated with instructions for setting up SSHD on a domain:
First of all, create a new domain account called "cyg_server". This account must be an administrative account, so make sure it's in the "Administrators" group.
Now create a domain policy which is propagated to all machines which are supposed to run an sshd service. This domain policy should give the following user rights to the "cyg_server" account:
Act as part of the operating system (SeTcbPrivilege) Create a token object (SeCreateTokenPrivilege) Replace a process level token (SeAssignPrimaryTokenPrivilege)
I have administrator access to the AD domain controller (which runs on Windows Server 2008 R2) and I’ve created the cyg_server domain account as a member of the Administrators group. However, I don’t know enough about Windows administration to follow the remaining instructions.
I presume “domain policy” refers to group policies but I really don’t know anything about group policies. I thought this question seemed relevant but it didn’t have enough detail for me to make use of it.
Okay, the rough guide to Group Policy Objects for UNIX-admins ;)
First of all, Active Directory is basically a database which has different types of objects in it. As with LDAP, AD originates from X.500, thus both are hierarchical and use various objects. One of those is of the Group Policy Object (GPO) type.
You'll need to 'link' a GPO somewhere in the tree of a domain. In general, linked GPOs apply their settings for machines (i.e.: computer objects, applied at boot) and user accounts (user objects, applied after logon), recursively.
By default, there are two GPOs linked in a new domain:
Don't modify these unless you understand what you are doing. Create a new GPO instead.
I'm not going to explain in detail how to create a GPO here. Determine your scope, and ensure the settings are correct. For this specific case, I'd suggest you link it to the Organizational Unit (OU) where your servers reside.
The policy as suggested in the question probably should look a bit like this.