-
Notifications
You must be signed in to change notification settings - Fork 766
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sshd service fails to start unless I add "NT SERVICE\sshd" to "Log on as a service" policy #846
Comments
Thank you. We'll modify the installation script to explicitly add that privilege to sshd service account. So far, we have seen it getting that privilege automatically assigned. |
How was this possible? Isn't |
From my testing I believe this was only absolutely required (service won't launch) for Win7 and maybe Nano? |
"NT SERVICE\ALL SERVICES" was not assigned to that policy. I do not know how or why, I do not manage the OS. :) |
So that right was probably removed by a active directory managed policy? If so, won't it also remove the right from the ssh account at the next synchronization? I think you should work that out with the system administrator and tell us what is happening, because it fells odd to have the openssh installer assigning the right by itself when that should have been taken care by the system out-of-the-box. |
So far the policy still stands and all is working fine. Whatever removed "NT SERVICE\ALL SERVICES" may have been a one time event or human error. I don't know (yet) if it is possible, but perhaps the 'nicest' way to handle this is to check if "NT SERVICE\ALL SERVICES" is assigned to the policy and, if not, add NT SERVICE\sshd. That way the policy doesn't become cluttered and in case of fringe cases like mine, sshd still works if installed. |
@Andrei-Paul - a little snooping shows that some organizations might be managing this policy with group policy and when they do so, they may have to add "NT SERVICE\ALL SERVICES" explicitly: (e.g. https://www.codykonior.com/2015/11/16/rebuilding-the-log-on-as-a-service-list-after-it-has-been-overwritten-by-group-policy/) However, if this is the case - then whatever you put in there will keep getting removed. You might want to check your machine's resultant set of policies (when domain joined) with the command:
|
"OpenSSH for Windows" version
0.0.18.0
Server OperatingSystem
Windows Server 2008 R2 Standard
What is failing
SSHD Service would not start:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SSHD
Account Domain: NT SERVICE
Failure Information:
Failure Reason: The user has not been granted the requested logon type at this machine.
Status: 0xc000015b
Sub Status: 0x0
After manually adding NT SERVICE\sshd to policy "Log on as a service", the service was able to start.
"Replace a process level token" policy already contained "NT SERVICE\sshd", this and the Failure reason above gave me the idea to perform the step above.
The text was updated successfully, but these errors were encountered: