occasional failure to look up

Corinna Vinschen corinna-cygwin@cygwin.com
Thu Nov 20 09:48:00 GMT 2014


On Nov 18 17:54, Corinna Vinschen wrote:
> On Nov 18 16:26, Habermann, David (D) wrote:
> > From: cygwin-owner
> > The problem here is the abbreviation in both cases.  What I was looking
> > for is if your user uid/SID shows up in the token group list as well.
> > I don't need the full list, but can you please check?
> > 
> > 1125370 does not occur anywhere else in the ID output (only as UID).
> > U074036 also does not appear anywhere else in the ID output (only as
> > UID).
> 
> Ok, that's more or less what I expected...
> 
> > 1125370 does not appear anywhere in the whoami output.  However,
> > u074036 does appear twice in the whoami output.  I've included both
> > below. 
> > 
> > User Name: dow\u074036
> > SID:       S-1-5-21-1060284298-861567501-682003330-76794
> > 
> > Group Name: DOW\U074036
> > Type:       User
> > SID:        S-1-5-21-4015118-2039090470-1726288727-4013
> > Attributes: Mandatory group, Enabled by default, Enabled group
> 
> ...and this too.  It explains the problem at least partially.
> 
> But... there's something weird here:  While this is both time the same
> DOMAIN\user combination, it has two different SIDs.  I never, ever saw
> that.  It looks broken to me, but I could be missing something.

Yes, I'm missing something:  SID history.  This "group" is you, but from
another domain your account has been migrated from.  It seems the Cygwin
code isn't prepared for this situation.

The problem is, I can't test it myself.  ADSI Edit doesn't allow to
write a SID to the sIDHistory attribute, even using an enterprise admin
account.

What we could do in Cygwin is to ignore user accounts in the group list
of an existing token.  One downside would be the fact that your POSIX
permissions would be probably wrong, if you access a file on an old file
server still using your old SID.

OTOH, in theory, if the migration has been done long ago, and all old
file servers have gone, too, it would be a good idea from a security
perspective to remove the SID history from your AD entry.

Still, some debugging on affected systems might be enlightening.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20141120/5a71bbc3/attachment.sig>


More information about the Cygwin mailing list