delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2011/07/22/03:17:49

X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Fri, 22 Jul 2011 09:16:55 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: I'm confused, ... domain vs. local account mappings (why diffs, how to control mappings?)
Message-ID: <20110722071655.GZ15150@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <4E28FEDC DOT 5080306 AT tlinx DOT org>
MIME-Version: 1.0
In-Reply-To: <4E28FEDC.5080306@tlinx.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Jul 21 21:38, Linda Walsh wrote:
> 1) local user 'law', 'root' and 'guest' are all in '513'
> Sid  "S-1-5-21----513" is a "well known sid" for 'Domain Users'
> (why it shows up as a group labeled 'non' with my local
> computers id in the computer part, is confusing.

It's confusing?  It's Windows!  Every local SAM has a default group with
RID 513, the name  of that group is even (badly) localized.  "None" in
English, "Kein" in German, "Aucun" in French, etc.

> 2) 'law' is in 'lawgroup' (one good thing!)
> But Domain user 'root' is in group 10513, which is sorta 'broken'
> like the local users mapping to 513.  It probably should have
> mapped to '10512'?

Nope.  All users' primary group is "None" or "Domain Users", even for
admins.

> 3) Why 2 Backup Operators? -- Backup Operators mapping
> correctly from Sid S---551->551.
>   but 'builtin\backup operators, (also 512, mapping to a different
> domain-mapped UID on the local machine).

One hes been returned by the local SAM group listing function,
one by the domain group listing function.  For all practical
purposes it's the same group.  You should not call `mkgroup -l' and then
`mkgroup -D'.  Call `mkgroup -l -D' in one go and the confusing double 
groups will disappear.

> I do have Domain Admins, -512, but they aren't being mapped
> to the correct local GID of '512'...
> Same goes for 'Domain Controllers' (516->10516)
> ----
> Conflicts?
> Or design (I hope?, but how to fix the broken parts?)

Calling 

$ mkpasswd -l -D > /etc/passwd
$ mkgroup -l -D > /etc/group

will fix it.

http://cygwin.com/cygwin-ug-net/ntsec.html
http://cygwin.com/cygwin-ug-net/using-utils.html#mkgroup
http://cygwin.com/cygwin-ug-net/using-utils.html#mkpasswd


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019