X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	q=dns; s=default; b=h7be8e97jDGS9FBp5+EgcEHbkklHCW6EOZB+K2gP9Lj
	DSGJg7oACpvvakNbET5JkDZSoNCLCCSniR3inDqtBE6Oh5rAX22mOZdkT8JGhNO+
	cb0yY4CSOQBjN5+Dn6jQ7Ac45hcoys3Vc4jnqRYyjJL1OfI6EvbprTs/0HjKU5ZQ
	=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	s=default; bh=2yDyV0+0PCfWJX5u4rYYILCp1Fg=; b=hBc3PsZEQNEofOSVg
	YSzQmdyDxR60jhoOBs9wGot3VhmaAQabldbjl5dFPBMICKqwc9TgThg343f9W7+0
	ReCTVaTMg1UXzyg7sR2RwTilwTtYLMf07N173XI7yN4gOt3Hl6fYysn+XY+MQi1V
	bCxCZMQchdToaoO09zqfwANWgE=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-2.7 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO:	mail2.intersystems.com
X-InterSystems:	Sent from InterSystems
X-InterSystems:	Sent from InterSystems
Message-ID:	<54EE0C9B.2020605@intersystems.com>
Date:	Wed, 25 Feb 2015 12:55:39 -0500
From:	Len Giambrone <Leonard DOT Giambrone AT intersystems DOT com>
User-Agent:	Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version:	1.0
To:	<cygwin AT cygwin DOT com>
Subject:	Re: gid doesn't display correctly on SAMBA share using AD
References:	<54EDF1DB DOT 20708 AT intersystems DOT com> <20150225161849 DOT GG437 AT calimero DOT vinschen DOT de> <54EDFD84 DOT 2030605 AT intersystems DOT com> <20150225172022 DOT GL437 AT calimero DOT vinschen DOT de> <54EE05B3 DOT 4050304 AT intersystems DOT com> <20150225173432 DOT GP437 AT calimero DOT vinschen DOT de>
In-Reply-To:	<20150225173432.GP437@calimero.vinschen.de>
X-IsSubscribed:	yes

On 02/25/2015 12:34 PM, Corinna Vinschen wrote:
> On Feb 25 12:26, Len Giambrone wrote:
>> On 02/25/2015 12:20 PM, Corinna Vinschen wrote:
>>> On Feb 25 11:51, Len Giambrone wrote:
>>>> On 02/25/2015 11:18 AM, Corinna Vinschen wrote:
>>>>> On Feb 25 11:01, Len Giambrone wrote:
>>>>>> [...]
>>>>>> The username displays correctly, but the group name does not:
>>>>>>
>>>>>> $ ls -la foo
>>>>>> -rw-rw-r-- 1 build Unix_Group+999 0 Feb 25 10:52 foo
>>>>>>
>>>>>> And this is confirmed by running getent:
>>>>>>
>>>>>> $ getent passwd build
>>>>>> build:*:1065765:1049089:U-ISCINTERNAL\build,S-1-5-21-112145844-1872675854-1690816760-17189:/home/build:/bin/bash
>>>>>>
>>>>>> $ getent passwd group
>>>>>>
>>>>>> I've read
>>>>>> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-gecos
>>>>>> 'til I'm blue in the face, and I think this should work.
>>>>>> What am I missing?  How can I debug?
>>>>> If your admin changed your user account to have a gidNumber 999 only,
>>>>> then that won't help,  Consider:  Cygwin tries to find a group with
>>>>> gidNumber set to 999.  How is it supposed to evaluate the right
>>>>> gidNumber value from some arbitrary user account?
>>>>>
>>>>> What Cygwin needs to get the right connection between a Windows group
>>>>> and a gidNumber value is that the *group* entry in AD itself has the
>>>>> gidNumber set to the right value.
>>>>>
>>>>> I don't know if that's really the problem in your case, but that seems
>>>>> the most likely.
>>>>>
>>>>> Please report back.  I'm excited that I'm not the only one interested
>>>>> in getting this connection between unix and windows ids working :)
>>>> It worked.  :)  Now I just have to persuade my admin to populate uidNumber
>>>> and gidNumber for all our current and new users...
>>> I'm glad to read that.  Thanks for your feedback!
>> If I can't get my admin to cooperate, then I have to resort to using
>> mkpasswd/mkgroup -U.  But this gives output like this:
>>
>> $ ls -la foo
>> -rw-rw-r-- 1 Unix_User+build Unix_Group+releng 0 Feb 25 10:52 foo
>>
>> Is that expected? (The Unix_User+/Unix_Group+ prefix).
> Yes, that's expected.  After all, they are users different from your
> Windows account, see the SIDs.

That's what I thought.

>    If you don't want the prefix, you can
> still override this by manually dropping the prefixes, along the lines
> of what you could already do in the former implementation.  Should be a
> last resort, of course.

I actually tried that; I removed the Unix_User/Group+ prefix from the 
passwd entry to see if it worked.
It did, but then I couldn't ssh in as that user:

build AT wx64lg /etc
$ cat /etc/passwd
lgiambro:*:4278246287:99999:,S-1-22-1-56207::

build AT wx64lg /etc
$ cat /etc/group
releng:S-1-22-2-999:4278191079:


lgiambro AT ubuntu ~/perforce/dev/latest/build/tools
$ ssh -o PubkeyAuthentication=no wx64lg
lgiambro AT wx64lg's password:
Connection to wx64lg closed by remote host.
Connection to wx64lg closed.


>    The other, better way not restricted to Cygwin
> is to install Samba's winbind.

We are running winbind.

>    It just doesn't help for existing UNIX
> accounts, afaics.
>

I don't know how winbind works.  If it doesn't work with existing UNIX 
accounts, then when _would_ it have an effect?

> Corinna
>

-- 
-Len

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -