[GE users] Troubles with Interix and AD

Harald Pollinger Harald.Pollinger at Sun.COM
Mon Jan 28 10:45:57 GMT 2008


    [ The following text is in the "ISO-8859-15" character set. ]
    [ Your display is set for the "ISO-8859-10" character set.  ]
    [ Some special characters may be displayed incorrectly. ]

Beat Rubischon wrote:
> Hi Harald!
> 
> Thanks for your input - I tried to verify the described behaviour:
> 
> Am 26.1.2008 22:31 Uhr schrieb "Harald Pollinger" unter
> <Harald.Pollinger at Sun.COM>:
> 
>> You shouldn't be able to become a normal Domain user without providing a
>> password.
> 
>> I'm not sure about it, but IIRC the local Administrator can use the
>> security token of a Domain user if it is stored on the local host. This
>> should be the case if the Domain user is logged in to the local host (or
>> was logged in lately, because security tokens are cached on the local host).
> 
> Two test systems, one running W2k3/SUA, the other one XP/SFU, both members
> of an AD domain. Both systems allows the local Administrator to become any
> domain users - even they were logged in before (brubischon) or never logged
> in at all (prubischon):

Hmm... right, I can reproduce this on a test host. But sometimes this 
isn't possible and then I need to use "login" to become this domain 
user. Weird...
It's well described how Windows handles the access permissions, but it's 
difficult to find informations how Interix uses these functions. But in 
the end it's always neccessary to have the right access token, so I 
don't understand how Interix achieves this.


> I checked libs/uti/sge_uidgid.c and it looks like "UNIX alike" setuid() is
> only used in case of windomacc=false. When providing a sgepasswd file the
> function wl_setuser() is used.
 >
> In case I don't find the magic key in the Active Directory, I'll implement
> sgepasswd even I don't need access to any network ressources during the job
> run.

Please keep me infomed if you reach any higher enlightenment!

Regards,
Harald

-- 
Sun Microsystems GmbH         Harald Pollinger
Dr.-Leo-Ritter-Str. 7         N1 Grid Engine Engineering
D-93049 Regensburg            Phone: +49 (0)941 3075-209  (x60209)
Germany                       Fax: +49 (0)941 3075-222  (x60222)
http://www.sun.com/gridware
mailto:harald.pollinger at sun.com
Sitz der Gesellschaft: Sonnenallee 1, D-85551 Kirchheim-Heimstetten
Amtsgericht Muenchen: HRB 161028
Geschaeftsfuehrer: Thomas Schroeder, Wolfgang Engels, Dr. Roland Boemer
Vorsitzender des Aufsichtsrates: Martin Haering

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list