This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: gid doesn't display correctly on SAMBA share using AD



On 02/25/2015 12:34 PM, Corinna Vinschen wrote:
On Feb 25 12:26, Len Giambrone wrote:
On 02/25/2015 12:20 PM, Corinna Vinschen wrote:
On Feb 25 11:51, Len Giambrone wrote:
On 02/25/2015 11:18 AM, Corinna Vinschen wrote:
On Feb 25 11:01, Len Giambrone wrote:
[...]
The username displays correctly, but the group name does not:

$ ls -la foo
-rw-rw-r-- 1 build Unix_Group+999 0 Feb 25 10:52 foo

And this is confirmed by running getent:

$ getent passwd build
build:*:1065765:1049089:U-ISCINTERNAL\build,S-1-5-21-112145844-1872675854-1690816760-17189:/home/build:/bin/bash

$ getent passwd group

I've read
https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-gecos
'til I'm blue in the face, and I think this should work.
What am I missing?  How can I debug?
If your admin changed your user account to have a gidNumber 999 only,
then that won't help,  Consider:  Cygwin tries to find a group with
gidNumber set to 999.  How is it supposed to evaluate the right
gidNumber value from some arbitrary user account?

What Cygwin needs to get the right connection between a Windows group
and a gidNumber value is that the *group* entry in AD itself has the
gidNumber set to the right value.

I don't know if that's really the problem in your case, but that seems
the most likely.

Please report back.  I'm excited that I'm not the only one interested
in getting this connection between unix and windows ids working :)
It worked.  :)  Now I just have to persuade my admin to populate uidNumber
and gidNumber for all our current and new users...
I'm glad to read that.  Thanks for your feedback!
If I can't get my admin to cooperate, then I have to resort to using
mkpasswd/mkgroup -U.  But this gives output like this:

$ ls -la foo
-rw-rw-r-- 1 Unix_User+build Unix_Group+releng 0 Feb 25 10:52 foo

Is that expected? (The Unix_User+/Unix_Group+ prefix).
Yes, that's expected.  After all, they are users different from your
Windows account, see the SIDs.

That's what I thought.

   If you don't want the prefix, you can
still override this by manually dropping the prefixes, along the lines
of what you could already do in the former implementation.  Should be a
last resort, of course.

I actually tried that; I removed the Unix_User/Group+ prefix from the passwd entry to see if it worked.
It did, but then I couldn't ssh in as that user:

build@wx64lg /etc
$ cat /etc/passwd
lgiambro:*:4278246287:99999:,S-1-22-1-56207::

build@wx64lg /etc
$ cat /etc/group
releng:S-1-22-2-999:4278191079:


lgiambro@ubuntu ~/perforce/dev/latest/build/tools
$ ssh -o PubkeyAuthentication=no wx64lg
lgiambro@wx64lg's password:
Connection to wx64lg closed by remote host.
Connection to wx64lg closed.


   The other, better way not restricted to Cygwin
is to install Samba's winbind.

We are running winbind.

   It just doesn't help for existing UNIX
accounts, afaics.


I don't know how winbind works. If it doesn't work with existing UNIX accounts, then when _would_ it have an effect?

Corinna


--
-Len

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]