Windows to Cygwin username mapping: Domain before local account when duplicate name?

Corinna Vinschen corinna-cygwin@cygwin.com
Fri Feb 15 16:51:00 GMT 2019 

On Feb 15 08:34, Bill Stewart wrote:
> On Fri, Feb 15, 2019 at 2:32 AM Sam Edge (Cygwin) wrote:
> 
> > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-how explains
> > in more detail.
> 
> I had already read that, and it seems to indicate that it asks the
> local machine first, but that doesn't seem to be happening when
> there's a duplication.
> 
> I have a domain-joined machine, and I have a user account named
> testuser that exists on the local computer and also in the domain.
> 
> 'getent passwd testuser' returns the domain account, not the local
> computer account.
> 
> Hence the question.

There's a documented ruleset which is strictly followed
https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-how:

  Well-known and builtin accounts will be named as in Windows:

    "SYSTEM", "LOCAL", "Medium Mandatory Level", ...

  If the machine is not a domain member machine, only local accounts can
  be resolved into names, so for ease of use, just the account names are
  used as Cygwin user/group names:

    "corinna", "bigfoot", "None", ...

  If the machine is a domain member machine, all accounts from the
  primary domain of the machine are mapped to Cygwin names without
  domain prefix:

    "corinna", "bigfoot", "Domain Users", ...

  while accounts from other domains are prepended by their domain:

    "DOMAIN1+corinna", "DOMAIN2+bigfoot", "DOMAIN3+Domain Users", ...

  Local machine accounts of a domain member machine get a Cygwin user
  name the same way as accounts from another domain: The local machine
  name gets prepended:

    "MYMACHINE+corinna", "MYMACHINE+bigfoot", "MYMACHINE+None", ...

  If LookupAccountSid fails, Cygwin checks the accounts against the
  known trusted domains. If the account is from one of the trusted
  domains, an artificial account name is created. It consists of the
  domain name, and a special name created from the account RID:

    "MY_DOM+User(1234)", "MY_DOM+Group(5678)"

  Otherwise we know nothing about this SID, so it will be mapped to the
  fake accounts Unknown+User/Unknown+Group with uid/gid -1


HTH,
Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/20190215/b77a28e8/attachment.sig>

More information about the Cygwin mailing list