Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sshd service fails to start unless I add "NT SERVICE\sshd" to "Log on as a service" policy #846

Closed
Andrei-Paul opened this issue Aug 15, 2017 · 7 comments

Comments

@Andrei-Paul
Copy link

Andrei-Paul commented Aug 15, 2017

"OpenSSH for Windows" version
0.0.18.0

Server OperatingSystem
Windows Server 2008 R2 Standard

What is failing
SSHD Service would not start:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SSHD
Account Domain: NT SERVICE

Failure Information:
Failure Reason: The user has not been granted the requested logon type at this machine.
Status: 0xc000015b
Sub Status: 0x0

After manually adding NT SERVICE\sshd to policy "Log on as a service", the service was able to start.

"Replace a process level token" policy already contained "NT SERVICE\sshd", this and the Failure reason above gave me the idea to perform the step above.

@manojampalam
Copy link
Contributor

Thank you. We'll modify the installation script to explicitly add that privilege to sshd service account. So far, we have seen it getting that privilege automatically assigned.

@manojampalam manojampalam added this to the Aug-Mid milestone Aug 15, 2017
manojampalam added a commit to PowerShell/openssh-portable that referenced this issue Aug 17, 2017
@rgl
Copy link

rgl commented Aug 21, 2017

How was this possible? Isn't NT SERVICE\ALL SERVICES in your local policy "Log on as a service" account right? Isn't this the whole reason for windows to have NT SERVICE\* accounts (aka isolated services)?

@DarwinJS
Copy link

From my testing I believe this was only absolutely required (service won't launch) for Win7 and maybe Nano?

@Andrei-Paul
Copy link
Author

"NT SERVICE\ALL SERVICES" was not assigned to that policy. I do not know how or why, I do not manage the OS. :)

@rgl
Copy link

rgl commented Aug 28, 2017

So that right was probably removed by a active directory managed policy? If so, won't it also remove the right from the ssh account at the next synchronization?

I think you should work that out with the system administrator and tell us what is happening, because it fells odd to have the openssh installer assigning the right by itself when that should have been taken care by the system out-of-the-box.

@Andrei-Paul
Copy link
Author

Andrei-Paul commented Sep 11, 2017

So far the policy still stands and all is working fine. Whatever removed "NT SERVICE\ALL SERVICES" may have been a one time event or human error.

I don't know (yet) if it is possible, but perhaps the 'nicest' way to handle this is to check if "NT SERVICE\ALL SERVICES" is assigned to the policy and, if not, add NT SERVICE\sshd.

That way the policy doesn't become cluttered and in case of fringe cases like mine, sshd still works if installed.

@DarwinJS
Copy link

@Andrei-Paul - a little snooping shows that some organizations might be managing this policy with group policy and when they do so, they may have to add "NT SERVICE\ALL SERVICES" explicitly: (e.g. https://www.codykonior.com/2015/11/16/rebuilding-the-log-on-as-a-service-list-after-it-has-been-overwritten-by-group-policy/)

However, if this is the case - then whatever you put in there will keep getting removed.

You might want to check your machine's resultant set of policies (when domain joined) with the command:

gpresult /H GPreport.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants