| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; q=dns; s= | |
| default; b=MkYETXbU8CMPLtUQKZIXjCN/PEiFspbKRQOz7T3kEvd3fXfQmBAs0 | |
| sctPoKU0S4/Is3a9xKio0TI87ecBsXa9oGJCBTXTBX5CceIhnadJthf4g1SVL1Cw | |
| dJ6cpxHH7SyFuUDiLfMuN6ee9Q1u0o50IRog6v/DITbV4VNH0UvhJw= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; s=default; | |
| bh=1r5EQ5k2h6GohtkQ6CdVJespRDk=; b=whspAwXVZkjdV+NX2DQ5ubnY+rHU | |
| 4uCJ6FHW+9XCXV0K/Ac8zxkxKVT3VUmKaFpSNhLsxgrRY08uNxBOW/ktER7E7aud | |
| FRUNamAItjrWkiLxGxx3pkYN1inz1bJeGbEpHonvKFLO24vhCFCAmWaP5FP/iFCj | |
| nyssKL9JRVaD+sU= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-3.9 required=5.0 tests=AWL,BAYES_00,CYGWIN_OWNER_BODY autolearn=no version=3.3.2 |
| X-HELO: | calimero.vinschen.de |
| Date: | Thu, 20 Nov 2014 10:48:34 +0100 |
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: occasional failure to look up |
| Message-ID: | <20141120094834.GK3810@calimero.vinschen.de> |
| Reply-To: | cygwin AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <C9D37D92E903B347A31B9CF82643BA2807362157 AT 046-CH1MPN1-043 DOT 046d DOT mgd DOT msft DOT net> <20141118152211 DOT GZ3151 AT calimero DOT vinschen DOT de> <C9D37D92E903B347A31B9CF82643BA2807362297 AT 046-CH1MPN1-043 DOT 046d DOT mgd DOT msft DOT net> <20141118155809 DOT GD3151 AT calimero DOT vinschen DOT de> <C9D37D92E903B347A31B9CF82643BA2807362338 AT 046-CH1MPN1-043 DOT 046d DOT mgd DOT msft DOT net> <20141118165427 DOT GG3151 AT calimero DOT vinschen DOT de> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <20141118165427.GG3151@calimero.vinschen.de> |
| User-Agent: | Mutt/1.5.23 (2014-03-12) |
--zYo4Elh1vtcYNvbq Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Nov 18 17:54, Corinna Vinschen wrote: > On Nov 18 16:26, Habermann, David (D) wrote: > > From: cygwin-owner > > The problem here is the abbreviation in both cases. What I was looking > > for is if your user uid/SID shows up in the token group list as well. > > I don't need the full list, but can you please check? > >=20 > > 1125370 does not occur anywhere else in the ID output (only as UID). > > U074036 also does not appear anywhere else in the ID output (only as > > UID). >=20 > Ok, that's more or less what I expected... >=20 > > 1125370 does not appear anywhere in the whoami output. However, > > u074036 does appear twice in the whoami output. I've included both > > below.=20 > >=20 > > User Name: dow\u074036 > > SID: S-1-5-21-1060284298-861567501-682003330-76794 > >=20 > > Group Name: DOW\U074036 > > Type: User > > SID: S-1-5-21-4015118-2039090470-1726288727-4013 > > Attributes: Mandatory group, Enabled by default, Enabled group >=20 > ...and this too. It explains the problem at least partially. >=20 > But... there's something weird here: While this is both time the same > DOMAIN\user combination, it has two different SIDs. I never, ever saw > that. It looks broken to me, but I could be missing something. Yes, I'm missing something: SID history. This "group" is you, but from another domain your account has been migrated from. It seems the Cygwin code isn't prepared for this situation. The problem is, I can't test it myself. ADSI Edit doesn't allow to write a SID to the sIDHistory attribute, even using an enterprise admin account. What we could do in Cygwin is to ignore user accounts in the group list of an existing token. One downside would be the fact that your POSIX permissions would be probably wrong, if you access a file on an old file server still using your old SID. OTOH, in theory, if the migration has been done long ago, and all old file servers have gone, too, it would be a good idea from a security perspective to remove the SID history from your AD entry. Still, some debugging on affected systems might be enlightening. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --zYo4Elh1vtcYNvbq Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUbbjyAAoJEPU2Bp2uRE+g6KEP/jG5TCek+R3HPuom73ThkpwJ m361f8o0h3Xt4zRoh0deB2/KPSUDFcneRLcVXJO6VtsxmuezM9Cm4aG/iCsiVfn4 IzxwBdbSeIrnhn04vH1k/ZEkNiGebuqhqWf4ioXJyjIY+uO1zjfJn19A6UTGIZ/O H7SjrT2qgFDdg38srg03IwaAqvZLKcP7j0PAcI3bKlgGtagxHmZxF4p0yJDzUR2K kNaH6OMBoBPXKH+/DwwbkQTvFJA4cFAyKJRUs7DaufAyA3zqyImFlcC/ju1Rth6h vJ2lydF1Gmgm6iBu0QRWcrJWTuXXoefzIOJdlXhqp1zB+fCN0MWI8/zv36qEvvtR S7k0d3IVPL/zPLr1Ipka5UUg/GPyLARnqTsiOueicr/hJJlw88dllnb5mFNuSDqw 5GCZzuE5N5ZDxfNJG5D82c091601CU0yxhLaV8mhWx/weXUWuTtXZp+3r0IkB7cX nZk749dPqMAkiBpPTdGCA6JLnL7NGCq3aUgZsfaJgID1UQjRUUYlSiQWBgdW4gMv aeEjDdAZxtSjusABDaT5A8EbhOpXpcJ9UalvI2NzvhYcl7JUJfgiePZJ5XTcP+xb XJURQpf6DaezFogJrLKoifdgSU9KY1/KtOZRMAaZGQvYunJ6HWbxD7rBD6GmtyCh /LrF7Y+iv6gGmG7f4A6D =e0yI -----END PGP SIGNATURE----- --zYo4Elh1vtcYNvbq--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |