PrincipalDomain needs to be changed to enable non admin local users to do RSH on member server
Recently we got an issue reported, where non admin local user were unable to do RSH from member server.
Below were our observation based on our testing:
- As per our testing on lab machines, we found that the issue was coming when we were logged in as a non-admin local account
- The error message was message “rcmd: unknown user: localusr”.
- Reinstalling SUA SDK on the member server did not resolve the issue
- Also, we were able to do a ‘rsh’ while logged in as local administrator account
- If we take the machine out of the domain, then the local non admin users had no issue doing ‘rsh’
- With, further research, we found that the issue was with the “PrincipalDomain” which was set for SUA
- Running the pdomain command from the korn shell gave the “PrincipalDomain” name. This was set to the domain name on the member server.
- Hence when we were running the command as domain user, rsh was working and local account was failing.
- So, as a first step, we created a user with the same name (as local account) in the domain. Now, we got different error while running the rsh command "Operation not permitted”.
- Hence we changed the “PrincipalDomain” which was set for SUA and this resolved the issue.
Steps to change the “PrincipalDomain” forSUA: (Resolution)
- Open regedit
- Browse to the location HKLM\Software\Microsoft\SUA
- Click on new String Value and put the name as PrincipalDomain
- Edit the registry key and put the hostname of the local machine
- Reboot the machine
- Once the box is rebooted, login with the non-admin local account
- Open Korn shell (ksh –l) and run the pdomain command
- It should show the hostname of the machine instead of the domain name.
- Now run the rsh command. This should works.
BTW, making the changes will not affect running rsh command as domain user