SeTcbPrivilege not working, RSoP.msc, gpresult show it's enabled, whoami /priv shows disabled

Question

I'm trying to install Cygwin with SSHd on a Windows Server 2008 R2 domain controller. I have installed Cygwin and SSHd several times on other machines, with no issues. Being a domain controller, the cyg_server user is part of the domain. I have enabled SeTcbPrivilege on the Group Policy for Domain Controllers for DOMAIN\cyg_server, but it's somehow not applying.

The output of gpresult /v is:

        GPO: Default Domain Controllers Policy
            Policy:            TcbPrivilege
            Computer Setting:  Administrators
                               DOMAIN\cyg_server
                               DOMAIN\Domain Admins

Running RSoP.msc is consistent with gpresult, and also shows that those groups and the cyg_server user should have TcbPrivilete.

But the output of whoami /priv shows SeTcbPrivilege "Disabled":

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                   State
=============================== ======================================================== ========
<...>
SeTcbPrivilege                  Act as part of the operating system
               Disabled
<...>

I can start the Cygwin SSHd service, but I can only log on as cyg_server. When I try to log on as Administrator, I see this:

urkom@workstation:~$ ssh Administrator@domaincontroller
Administrator@domaincontroller's password: 
Last login: Tue May  7 13:26:29 2013 from 172.1.10.22
/bin/bash: Operation not permitted
Connection to domaincontroller closed.

For reference, here is the relevant line of /etc/passwd:

Administrator:unused:500:513:Administrator,U-DOMAIN\Administrator,S-1-5-21-3835976426-429400520-196227251-500:/home/Administrator:/bin/bash

I'm stuck, so any help would be welcome. Thank you.

score 3 · Answer 1 · answered May 07 '13 at 08:50

Ok, yes, that was quite dumb on my side... :)

The official documentation actually has all the information that you need: http://www.cygwin.com/faq/faq.using.html#faq.using.sshd-in-domain

To make Cygwin SSHd work, I had to add the third permission of that list "Replace a process level token":

Act as part of the operating system (SeTcbPrivilege)
Create a token object               (SeCreateTokenPrivilege)
Replace a process level token       (SeAssignPrimaryTokenPrivilege)

Now SSH login works! Yay!

score 0 · Answer 2 · answered May 07 '13 at 07:02

0

When you say "Administrator@domaincontroller", you mean you're trying to perform a logon against the local administrator account on the machine ? That will not work on a DC because there is NO local account any more on a DC: you need to perform a logon using the AD administrator.

answered May 07 '13 at 07:02

Stephane

6,382
3
25
47

No, checking the /etc/passwd file, I see that the Administrator username of Cygwin is linked to the AD Administrator account. I'll edit the question for clarity. – UrkoM May 07 '13 at 07:36

SeTcbPrivilege not working, RSoP.msc, gpresult show it's enabled, whoami /priv shows disabled

2 Answers2