Adding Active Directory Users when the Domain doesn't show up in the CopSSH control panel

8 posts / 0 new
Last post
Chris.O
Offline
Last seen: 8 years 2 months ago
Joined: 17.03.2011 - 19:51
Adding Active Directory Users when the Domain doesn't show up in the CopSSH control panel

I did this on Windows 7 SP1 x64, and has the following assumptions:

  • your machine is joined to the domain
  • your firewall is properly set up to allow in SSH traffic (TCP port 22)
  • I'm not sure if it matters, but any time I used an elevated command prompt, I specified a domain account I added to the local Administrators group (not domain admin), and not a local admin account.

Directions:

  1. Install CopSSH 4.1.0
  2. Open the CopSSH control panel, and add a local user. Set the preferences for what you'd like the domain users to have.
  3. Exit the Control Panel. From this point, do not EVER open the control panel again, otherwise it'll wipe out anything you do manually. To make sure I don't run it by accident, I zipped it up (in case I needed it later) then deleted the exe.
  4. Start an elevated command prompt
    • cd to the bin directory in the CopSSH program files folder
    • Activate your Active Directory user:
      • copsshadm.exe --command activateuser --user "DOMAIN\username"
  5. In the etc directory, edit the file sshd_configwith Notepad++, or some other editor that's friendly with UNIX formatted files
    • You'll see an entry that starts with Match User. This was created for the local user you activated in step 2. Copy that entire section (the Match User line through the MaxSessions line), and paste it directly below it.
    • change the local username to be the domain username you activated in step 4 (just put the username, do not put the domain).
    • Save the file
  6. Go the to Windows Services MMC Console, and restart the Openssh SSHD service
  7. You should now be able to SSH into your Windows machine
  8. If you want to allow public key authentication:
    • in the sshd_config file, set PubkeyAuthentication to yes
    • make sure your public key file is in OpenSSH format (not Putty formatted) and is named authorized_keys
    • copy this file to the .ssh directory for the home folder for your Active Directory user in the CopSSH program files directory

Here's why I had to do this:

  • When I used the CopSSH control panel to try to activate a domain user, the Domain field never showed the Active Directory domain (only the local machine).
  • When I manually modified the copsshcp.config file and added the domain user, the user would properly show up in the Control Panel, but still not allow logins.
    • Also after you manually add a domain user, any time you try to open the Control Panel, it appears to try to rebuild the group and passwd files by querying Active Directory. Our AD has 100,000+ users and several thousand groups. Having this app query for all users and groups (to rebuild these files) every time you open it or make a change is probably why it's not working right for me.
  • To fix this issue, I'm guessing that the devs will need to update the app to only query for specific usernames or groups, and not pull all user and group info from Active Directory as it currently does (or maybe leave this as default, but have a large domain option).
itefix
Offline
Last seen: 10 hours 50 min ago
Joined: 01.05.2008 - 21:33
Thanks for your feedback.

Thanks for your feedback. First of all, I didn't develop Copssh Control Panel to create a road block as you describe. The last version of Copssh Control Panel does indeed what you suggest: It gets user name directly without running a domain lookup. From release notes for 4.1.0:

It's been observed that auto-populating the user list from domains with many users is very time consuming and leads to hangs and problems. User Activation Wizard in the Control Panel uses now a text entry field for domain users or if the local host is a domain controller. Auto-populated user list is still the preferred way to select local users on hosts which are not domain controllers.

But there is a catch: Copssh Control Panel uses domain name cache to populate the list of available domains from the registry entry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DomainCache. Can you login with a domain account on your Copssh machine and check if the entry above is populated ? I suspect that building that cache requires at least one domain login.

bitaxis
Offline
Last seen: 5 years 6 months ago
Joined: 23.03.2011 - 19:36
Same issue

Hello.  I have the exact same issue as Chris O.

I am running CopSSH on a Windows Server 2008 R2 machine.  It is associated with a domain.  But when I use the UI to activate a user, I do not see a text filed whereby I can type in a domain name.  I checked the registry, and there is no DomainCache key as you described.  I even created one manually and populated it with entries, but that still did not work.

itefix
Offline
Last seen: 10 hours 50 min ago
Joined: 01.05.2008 - 21:33
Ok. thanks for your feedback.

Ok. thanks for your feedback. Time to come up with a fix, I suppose.

Sminster
Offline
Last seen: 7 years 11 months ago
Joined: 18.06.2011 - 06:29
Same issue here

I have just installed v4.1 on a windows 2008 r2 member server with the same results as bitaxis. The control panel does not let me manually type in account names. The only names available are from the autopopulated drop down list, and those are local to the machine. Does CopSSH need to be installed on a DC in order to be able to manually type in accounts? TK, thank you for the time you have put into this project as it has already helped me accomplish some of my needs. Any update on the status of this bug would be much appreciated. Keep up the good work!

sjalexander
Offline
Last seen: 5 years 6 months ago
Joined: 01.11.2011 - 16:49
same issue here

I have the same problem. I think this thread is relevant to the problem we're seeing:
https://social.technet.microsoft.com:443/Forums/en-US/itprovistanetworking/thread/9d339473-e95d-43b2-86fa-94768b109f53/
 
Note that in that thread is a link to a Microsoft article with code samples (in VB, but better than nothing) on other ways to get domain info via WMI: https://msdn.microsoft.com/en-us/library/aa394586.aspx 
 
I'm observing the same problem on Windows 2008 Server. I'm sure it's also the case with Windows 7. I do not have the problem on XP.
 
Thanks,
 
Stephen

itefix
Offline
Last seen: 10 hours 50 min ago
Joined: 01.05.2008 - 21:33
 The lates version of the

 The latest version of the Control panel (2.1.2.5) allows you to enter domain name directly instead of selecting from a pre-populated list.

sjalexander
Offline
Last seen: 5 years 6 months ago
Joined: 01.11.2011 - 16:49
 thanks! i realized I had an

 thanks! i realized I had an older version about 5 minutes after i posted that.

Topic locked