gid doesn't display correctly on SAMBA share using AD
Len Giambrone
Leonard.Giambrone@intersystems.com
Wed Feb 25 20:21:00 GMT 2015
On 02/25/2015 12:34 PM, Corinna Vinschen wrote:
> On Feb 25 12:26, Len Giambrone wrote:
>> On 02/25/2015 12:20 PM, Corinna Vinschen wrote:
>>> On Feb 25 11:51, Len Giambrone wrote:
>>>> On 02/25/2015 11:18 AM, Corinna Vinschen wrote:
>>>>> On Feb 25 11:01, Len Giambrone wrote:
>>>>>> [...]
>>>>>> The username displays correctly, but the group name does not:
>>>>>>
>>>>>> $ ls -la foo
>>>>>> -rw-rw-r-- 1 build Unix_Group+999 0 Feb 25 10:52 foo
>>>>>>
>>>>>> And this is confirmed by running getent:
>>>>>>
>>>>>> $ getent passwd build
>>>>>> build:*:1065765:1049089:U-ISCINTERNAL\build,S-1-5-21-112145844-1872675854-1690816760-17189:/home/build:/bin/bash
>>>>>>
>>>>>> $ getent passwd group
>>>>>>
>>>>>> I've read
>>>>>> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-gecos
>>>>>> 'til I'm blue in the face, and I think this should work.
>>>>>> What am I missing? How can I debug?
>>>>> If your admin changed your user account to have a gidNumber 999 only,
>>>>> then that won't help, Consider: Cygwin tries to find a group with
>>>>> gidNumber set to 999. How is it supposed to evaluate the right
>>>>> gidNumber value from some arbitrary user account?
>>>>>
>>>>> What Cygwin needs to get the right connection between a Windows group
>>>>> and a gidNumber value is that the *group* entry in AD itself has the
>>>>> gidNumber set to the right value.
>>>>>
>>>>> I don't know if that's really the problem in your case, but that seems
>>>>> the most likely.
>>>>>
>>>>> Please report back. I'm excited that I'm not the only one interested
>>>>> in getting this connection between unix and windows ids working :)
>>>> It worked. :) Now I just have to persuade my admin to populate uidNumber
>>>> and gidNumber for all our current and new users...
>>> I'm glad to read that. Thanks for your feedback!
>> If I can't get my admin to cooperate, then I have to resort to using
>> mkpasswd/mkgroup -U. But this gives output like this:
>>
>> $ ls -la foo
>> -rw-rw-r-- 1 Unix_User+build Unix_Group+releng 0 Feb 25 10:52 foo
>>
>> Is that expected? (The Unix_User+/Unix_Group+ prefix).
> Yes, that's expected. After all, they are users different from your
> Windows account, see the SIDs.
That's what I thought.
> If you don't want the prefix, you can
> still override this by manually dropping the prefixes, along the lines
> of what you could already do in the former implementation. Should be a
> last resort, of course.
I actually tried that; I removed the Unix_User/Group+ prefix from the
passwd entry to see if it worked.
It did, but then I couldn't ssh in as that user:
build@wx64lg /etc
$ cat /etc/passwd
lgiambro:*:4278246287:99999:,S-1-22-1-56207::
build@wx64lg /etc
$ cat /etc/group
releng:S-1-22-2-999:4278191079:
lgiambro@ubuntu ~/perforce/dev/latest/build/tools
$ ssh -o PubkeyAuthentication=no wx64lg
lgiambro@wx64lg's password:
Connection to wx64lg closed by remote host.
Connection to wx64lg closed.
> The other, better way not restricted to Cygwin
> is to install Samba's winbind.
We are running winbind.
> It just doesn't help for existing UNIX
> accounts, afaics.
>
I don't know how winbind works. If it doesn't work with existing UNIX
accounts, then when _would_ it have an effect?
> Corinna
>
--
-Len
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list