This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: occasional failure to look up

From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
To: cygwin at cygwin dot com
Date: Thu, 20 Nov 2014 10:48:34 +0100
Subject: Re: occasional failure to look up
Authentication-results: sourceware.org; auth=none
References: <C9D37D92E903B347A31B9CF82643BA2807362157 at 046-CH1MPN1-043 dot 046d dot mgd dot msft dot net> <20141118152211 dot GZ3151 at calimero dot vinschen dot de> <C9D37D92E903B347A31B9CF82643BA2807362297 at 046-CH1MPN1-043 dot 046d dot mgd dot msft dot net> <20141118155809 dot GD3151 at calimero dot vinschen dot de> <C9D37D92E903B347A31B9CF82643BA2807362338 at 046-CH1MPN1-043 dot 046d dot mgd dot msft dot net> <20141118165427 dot GG3151 at calimero dot vinschen dot de>
Reply-to: cygwin at cygwin dot com

On Nov 18 17:54, Corinna Vinschen wrote:
> On Nov 18 16:26, Habermann, David (D) wrote:
> > From: cygwin-owner
> > The problem here is the abbreviation in both cases.  What I was looking
> > for is if your user uid/SID shows up in the token group list as well.
> > I don't need the full list, but can you please check?
> > 
> > 1125370 does not occur anywhere else in the ID output (only as UID).
> > U074036 also does not appear anywhere else in the ID output (only as
> > UID).
> 
> Ok, that's more or less what I expected...
> 
> > 1125370 does not appear anywhere in the whoami output.  However,
> > u074036 does appear twice in the whoami output.  I've included both
> > below. 
> > 
> > User Name: dow\u074036
> > SID:       S-1-5-21-1060284298-861567501-682003330-76794
> > 
> > Group Name: DOW\U074036
> > Type:       User
> > SID:        S-1-5-21-4015118-2039090470-1726288727-4013
> > Attributes: Mandatory group, Enabled by default, Enabled group
> 
> ...and this too.  It explains the problem at least partially.
> 
> But... there's something weird here:  While this is both time the same
> DOMAIN\user combination, it has two different SIDs.  I never, ever saw
> that.  It looks broken to me, but I could be missing something.

Yes, I'm missing something:  SID history.  This "group" is you, but from
another domain your account has been migrated from.  It seems the Cygwin
code isn't prepared for this situation.

The problem is, I can't test it myself.  ADSI Edit doesn't allow to
write a SID to the sIDHistory attribute, even using an enterprise admin
account.

What we could do in Cygwin is to ignore user accounts in the group list
of an existing token.  One downside would be the fact that your POSIX
permissions would be probably wrong, if you access a file on an old file
server still using your old SID.

OTOH, in theory, if the migration has been done long ago, and all old
file servers have gone, too, it would be a good idea from a security
perspective to remove the SID history from your AD entry.

Still, some debugging on affected systems might be enlightening.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpz_YjBMakid.pgp
Description: PGP signature

Follow-Ups:
- Re: occasional failure to look up
  - From: cyg Simple

References:
- occasional failure to look up
  - From: Habermann, David (D)
- Re: occasional failure to look up
  - From: Corinna Vinschen
- RE: occasional failure to look up
  - From: Habermann, David (D)
- Re: occasional failure to look up
  - From: Corinna Vinschen
- RE: occasional failure to look up
  - From: Habermann, David (D)
- Re: occasional failure to look up
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]