This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

I'm confused, ... domain vs. local account mappings (why diffs, how to control mappings?)





For various reasons (config changes, upgrading to newer version of samba, phase of the moon, dumb-luck/random chance, after a latest round of samba-setup config auditing (amongst other things), I'm no longer getting "device attached to sys not functioning"

(originally reported http://cygwin.com/ml/cygwin/2010-07/msg00289.html)

Now I get output that I'm not exactly sure how to interpret.

--- first local, which by itself seems almost normal):
(I split long lines and indented the continuations, also sub'ed
the long sys-uniq# with 11111-22222-11111 for my local sys.
I use a different ## for my domain further on, down, below.
(I also sorted them by UID)

# mkpasswd -l:
SYSTEM:*:18:544:,S-1-5-18::
LocalService:*:19:544:U-NT AUTHORITY\LocalService,S-1-5-19::
NetworkService:*:20:544:U-NT AUTHORITY\NetworkService,S-1-5-20::
Guest:unused:501:513:U-athenae\Guest,\
   S-1-5-21-11111-22222-11111-501:/home/Guest:/bin/bash
root:unused:500:513:Athenae Admin,U-athenae\root,\
   S-1-5-21-11111-22222-11111-500:/home/root:/bin/bash
Administrators:*:544:544:,S-1-5-32-544::
law:unused:1001:513:L A Walsh,U-athenae\law,\
   S-1-5-21-11111-22222-11111-1001:/home/law:/bin/bash


# mkgroup -l SYSTEM:S-1-5-18:18: None:S-1-5-21-11111-22222-11111-513:513: Administrators:S-1-5-32-544:544: Users:S-1-5-32-545:545: Guests:S-1-5-32-546:546: Power Users:S-1-5-32-547:547: Backup Operators:S-1-5-32-551:551: Replicator:S-1-5-32-552:552: Remote Desktop Users:S-1-5-32-555:555: Network Configuration Operators:S-1-5-32-556:556: Performance Monitor Users:S-1-5-32-558:558: Performance Log Users:S-1-5-32-559:559: Distributed COM Users:S-1-5-32-562:562: IIS_IUSRS:S-1-5-32-568:568: Cryptographic Operators:S-1-5-32-569:569: Event Log Readers:S-1-5-32-573:573: lawgroup:S-1-5-21-11111-22222-11111-1005:1005: --- so above looks ok, -- several builtin entries, and some added local entries.

Now the Domain entries:

# mkpasswd -D:
BLISS\root:unused:10500:10513:root,U-BLISS\root,
   S-1-5-21-33333-77777-33333-500://BLISS/root:/bin/bash
BLISS\law:unused:90026:71008:L A Walsh,U-BLISS\law,\
   S-1-5-21-33333-77777-33333-80026://BLISS/law:/bin/bash

#mkgroup -D:
SYSTEM:S-1-5-18:18:
Print Operators:S-1-5-32-550:550:
Replicator:S-1-5-32-552:552:
Administrators:S-1-5-32-544:544:
Users:S-1-5-32-545:545:
Guests:S-1-5-32-546:546:
Power Users:S-1-5-32-547:547:
Account Operators:S-1-5-32-548:548:
Server Operators:S-1-5-32-549:549:
Backup Operators:S-1-5-32-551:551:
RAS Servers:S-1-5-32-553:553:
BLISS\Domain Admins:S-1-5-21-33333-77777-33333-512:10512:
BLISS\Domain Controllers:S-1-5-21-33333-77777-33333-516:10516:
BLISS\Juno:S-1-5-21-33333-77777-33333-1462:11005:
BLISS\media:S-1-5-21-33333-77777-33333-1017:11017:
BUILTIN\Backup Operators:S-1-5-32-551:11018:
BLISS\man:S-1-5-21-33333-77777-33333-1028:11028:
BLISS\Trusted Local Net Users:S-1-5-21-33333-77777-33333-50002:60002:
BLISS\lawgroup:S-1-5-21-33333-77777-33333-61008:71008:
BLISS\scan:S-1-5-21-33333-77777-33333-70464:80464:



Comments:
1) local user 'law', 'root' and 'guest' are all in '513'
Sid  "S-1-5-21----513" is a "well known sid" for 'Domain Users'
(why it shows up as a group labeled 'non' with my local
computers id in the computer part, is confusing.

2) 'law' is in 'lawgroup' (one good thing!)
But Domain user 'root' is in group 10513, which is sorta 'broken'
like the local users mapping to 513. It probably should have
mapped to '10512'?


3) Why 2 Backup Operators? -- Backup Operators mapping
correctly from Sid S---551->551.
  but 'builtin\backup operators, (also 512, mapping to a different
domain-mapped UID on the local machine).

I do have Domain Admins, -512, but they aren't being mapped
to the correct local GID of '512'...
Same goes for 'Domain Controllers' (516->10516)
----
Conflicts?
Or design (I hope?, but how to fix the broken parts?)
Note there is a larger overlap of unprefixed groups from
the local and domain listing.  None conflict if they were
merged with dups removed, but some are in the Domain
listing, while others are only in the local listing.

So -- I take it the low-numbered groups are not prefixed because
the somehow have a "WELL KNOWN SID" property attached to them?

Hoping/presuming that's the case, how can I map the
3 domain groups:
'Domains Admins'  (i.e. 10512 -> 512)
'Domain Controllers' (10516 -> 516)
builtin/backup operators -> backup operators

(i.e. did I miss setting some 'built-in' flag somewhere?)

or, how do I prevent cygwin from adding anything to the
UID's, that way, I can have the same mapping from the DC?

(as the DC, running samba, has already done a block-jump
mapping of UID's into a higher level)....

---
Guess that's the main Q how to have cygwin not add to the
UID's -- that way Domain Administrator would map to Administrator,
which is also 'correct' for Admins on Domain joined machines
(IF memory serves me correctly, I could see that making sense
as well -- as in a domain, as domain policy can lockdown/control
member machines, it could also disable local admin accounts if that
was wanted...)...

In my situation would there be any great risk in removing that offset, since it seems to be preventing some logins/groups from
properly mapping, within cygwin they way they should....



Certainly, would like to get my 'Bliss\law acct to have the same UID as what is seen on my network shares...would make life so much more integrous**....

** -- a word in need or more usage! (http://en.wiktionary.org/wiki/integrous)












-- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]