gid doesn't display correctly on SAMBA share using AD

Len Giambrone Leonard.Giambrone@intersystems.com
Wed Feb 25 20:21:00 GMT 2015 

On 02/25/2015 12:34 PM, Corinna Vinschen wrote:
> On Feb 25 12:26, Len Giambrone wrote:
>> On 02/25/2015 12:20 PM, Corinna Vinschen wrote:
>>> On Feb 25 11:51, Len Giambrone wrote:
>>>> On 02/25/2015 11:18 AM, Corinna Vinschen wrote:
>>>>> On Feb 25 11:01, Len Giambrone wrote:
>>>>>> [...]
>>>>>> The username displays correctly, but the group name does not:
>>>>>>
>>>>>> $ ls -la foo
>>>>>> -rw-rw-r-- 1 build Unix_Group+999 0 Feb 25 10:52 foo
>>>>>>
>>>>>> And this is confirmed by running getent:
>>>>>>
>>>>>> $ getent passwd build
>>>>>> build:*:1065765:1049089:U-ISCINTERNAL\build,S-1-5-21-112145844-1872675854-1690816760-17189:/home/build:/bin/bash
>>>>>>
>>>>>> $ getent passwd group
>>>>>>
>>>>>> I've read
>>>>>> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-gecos
>>>>>> 'til I'm blue in the face, and I think this should work.
>>>>>> What am I missing?  How can I debug?
>>>>> If your admin changed your user account to have a gidNumber 999 only,
>>>>> then that won't help,  Consider:  Cygwin tries to find a group with
>>>>> gidNumber set to 999.  How is it supposed to evaluate the right
>>>>> gidNumber value from some arbitrary user account?
>>>>>
>>>>> What Cygwin needs to get the right connection between a Windows group
>>>>> and a gidNumber value is that the *group* entry in AD itself has the
>>>>> gidNumber set to the right value.
>>>>>
>>>>> I don't know if that's really the problem in your case, but that seems
>>>>> the most likely.
>>>>>
>>>>> Please report back.  I'm excited that I'm not the only one interested
>>>>> in getting this connection between unix and windows ids working :)
>>>> It worked.  :)  Now I just have to persuade my admin to populate uidNumber
>>>> and gidNumber for all our current and new users...
>>> I'm glad to read that.  Thanks for your feedback!
>> If I can't get my admin to cooperate, then I have to resort to using
>> mkpasswd/mkgroup -U.  But this gives output like this:
>>
>> $ ls -la foo
>> -rw-rw-r-- 1 Unix_User+build Unix_Group+releng 0 Feb 25 10:52 foo
>>
>> Is that expected? (The Unix_User+/Unix_Group+ prefix).
> Yes, that's expected.  After all, they are users different from your
> Windows account, see the SIDs.

That's what I thought.

>    If you don't want the prefix, you can
> still override this by manually dropping the prefixes, along the lines
> of what you could already do in the former implementation.  Should be a
> last resort, of course.

I actually tried that; I removed the Unix_User/Group+ prefix from the 
passwd entry to see if it worked.
It did, but then I couldn't ssh in as that user:

build@wx64lg /etc
$ cat /etc/passwd
lgiambro:*:4278246287:99999:,S-1-22-1-56207::

build@wx64lg /etc
$ cat /etc/group
releng:S-1-22-2-999:4278191079:


lgiambro@ubuntu ~/perforce/dev/latest/build/tools
$ ssh -o PubkeyAuthentication=no wx64lg
lgiambro@wx64lg's password:
Connection to wx64lg closed by remote host.
Connection to wx64lg closed.


>    The other, better way not restricted to Cygwin
> is to install Samba's winbind.

We are running winbind.

>    It just doesn't help for existing UNIX
> accounts, afaics.
>

I don't know how winbind works.  If it doesn't work with existing UNIX 
accounts, then when _would_ it have an effect?

> Corinna
>

-- 
-Len

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list