[GE users] Troubles with Interix and AD

Harald Pollinger Harald.Pollinger at Sun.COM
Sat Jan 26 21:31:44 GMT 2008


    [ The following text is in the "ISO-8859-15" character set. ]
    [ Your display is set for the "ISO-8859-10" character set.  ]
    [ Some special characters may be displayed incorrectly. ]

Hi Beat,

I know this problem. This is because Interix has a double personality.
The Unix part tells it that an Administrator (AKA root) doesn't need a 
password to become a user, but the Windows part knows that this applies 
only to some kinds of users.

As the local Administrator, you should be able to become any local user 
without providing a password. You won't have the permissions to access 
network resouces as this user then, but on the local host you can do 
anything as this user.
This is because the local Administrator can create the security tokens 
of all local users for this host.

You can become the Domain Administrator if this is configured somewhere 
in the settings on the Domain controller. The Domain controller creates 
the necessary security token for local Administrators, if configured so.
Because this is a Windows functionality (the Domain controller doesn't 
know you are using Interix on the local host), this security token 
should be created for all users of the "Domain Administrators" group or 
all users with Domain Administrator privileges.

You shouldn't be able to become a normal Domain user without providing a 
password. The bad thing here is that "su" never asks an Administrator 
for a password, so you can't provide it even if you know it. To provide 
a password, you have to use "login".

I'm not sure about it, but IIRC the local Administrator can use the 
security token of a Domain user if it is stored on the local host. This 
should be the case if the Domain user is logged in to the local host (or 
was logged in lately, because security tokens are cached on the local host).

I hope this helps.

Regards,
Harald


Beat Rubischon wrote:
> Hello!
> 
> Last week, I deployed a W2k3 server running SGE in production environment.
> While the system runs OK in my test environment, I have some troubles with
> the Active Directory setup.
> 
> In a Interix shell, als local Administrator, I'm not able to setuid to an
> unpriviledged user:
> 
>     $ id
>     uid=197108(LOCAL+Administrator) ...
> 
>     $ su luserl
>     su: setuser: Permission denied
>     Sorry 
> 
> But I'm able to become domain administrator - this works also for some
> priviledged users:
> 
>     $ su Administrator
>     $ id
>     uid=1049076(Administrator) ...

> 
> The Grid Engine Execution Daemon isn't happy with this situation, dies away
> and the queue goes into Error state.
> 
> I'm quite sure there is a checkbox in the users dialog of the Active
> Directory management screen which is needed to be able to become such a user
> in a batch environment. Somebode here who has an idea which flag is needed?
> 
> Beat
> 


-- 
Sun Microsystems GmbH         Harald Pollinger
Dr.-Leo-Ritter-Str. 7         N1 Grid Engine Engineering
D-93049 Regensburg            Phone: +49 (0)941 3075-209  (x60209)
Germany                       Fax: +49 (0)941 3075-222  (x60222)
http://www.sun.com/gridware
mailto:harald.pollinger at sun.com
Sitz der Gesellschaft: Sonnenallee 1, D-85551 Kirchheim-Heimstetten
Amtsgericht Muenchen: HRB 161028
Geschaeftsfuehrer: Thomas Schroeder, Wolfgang Engels, Dr. Roland Boemer
Vorsitzender des Aufsichtsrates: Martin Haering

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list