Mail Archives: cygwin/2015/04/23/21:24:52
> On Apr 22 20:50, random user wrote:
>> >> On 4/22/2015 7:21 PM, John Orr wrote: ...
>>
>> Would I be right in guessing that your samba server is doing
>> authentication using a /etc/samba/smbpasswd file?
>>
>> If that is the case, the output you show matches my experience. Files
>> with owner matching the logged in user in such a case one end up with
>> an owner SID like the
>>
>> S-1-5-21-2908258922-1501660359-1356206134-1000
>>
>> seen in your output, as if it is a local user defined only by the
>> samba server itself. (It seems tied to neither my Unix userid nor my
>> Windows Domain SID, it just seems as if the samba server pretends to
>> be a local Windows OS with its own set of users.)
>>
>> For users and groups not defined in smbpasswd (or maybe it's for all
>> except for file owner matching the logged in user), the SIDs do show
>> up in the S-1-5-22- Unix_User+/Unix_Group+ form.
>>
>> I'll leave it at that; hopefully more capable hands can help you
>> choose how to then deal with these SIDs.
>
> That's a very good point and sounds like a very likely cause for this
> problem. The fact that the GUI shows "JOHNWL\john" seems like a very
> good hint.
Thanks very much, er, Random, for that tip - great call.
> Here's the problem: Cygwin's automatism can't resolve this SID,
> and the methods implemented in the account handling can't help with
> that.
>
> The reason is this: When you ask the Windows GUI for the ACL of a file,
> it knows whom to ask for the SIDs. It's either a SID it knows anyway
> (builtin, SAM, AD), or it asks the underlying server of the share.
>
> However, the account handling in Cygwin is decoupled from the code
> fetching file ACLs. It ony generically cares for passwd and group
> entries, and it only knows to ask SAM or AD for the SID. It has no
> connection to the server serving the share. This *might* be possible,
> but code for that just isn't there.
Thanks for the explanation. I'm fairly new to Samba, but I googled "samba setup"
and three of the first four results talked about using smbpasswd - so I'd presume
this would be a reasonably common situation (unless winbind is used?).
I'm rather curious what conditions cause Samba to return S-1-22-1-1000 - the
ntsec help says "unmapped accounts" get that. I presume there's another authentication
method I could be using, besides smbpasswd, that allows authentication without
an account mapping?
> What you can do to workaround this problem is either to change Samba
> so as not to return the above SID for the user with UID 1000, but the
> default SID S-1-22-1-1000.
I'm not sure how to do this. I tried
#: john AT johnwl:~ ; sudo pdbedit -u john -U S-1-22-1-1000
tdb_update_sam: struct samu (john) with no RID!
Unable to modify entry!
but that didn't work. I've not found good help on this, but I think perhaps
the -U argument, whose help text is "set user SID or RID" is really only expecting
an RID. I tried instead setting my samba machine SID to match my cygwin machine SID, with
sudo net setlocalsid S-1-5-21-775725812-2182925691-3402384268
and that worked. Since my samba RID is still 1000, (and after restarting smbd),
that did indeed produce
#: john AT johndesktop:~ ; ls -l /cygdrive/l/.bashrc
-rw-r--r-- 1 john Unix_Group+1000 3833 Aug 22 2013 /cygdrive/l/.bashrc
i.e. the user is now mapping successfully. The only problem is that in our organization,
without a domain, every user will have a different machine SID for their windows
machine, and the samba setup on common servers can only pick one of those. Just in case,
I tried setting the local samba SID to maybe force Samba to return S-1-22-1-1000
for me:
#: john AT johnwl:~ ; sudo net setlocalsid S-1-22-1
Usage: net setlocalsid S-1-5-21-x-y-z
Alas, it saw through my cunning plan.
Any other suggestions on how to get Samba to return S-1-22-1-1000?
> Or, in Cygwin, you just keep a passwd file
> with two entries around. These entries should be equivalent to the
> output of `getent passwd $USER', so just copy/paste it twice. Then
> tweak the SID of the second entry to match the above SID. The end result
> should be:
>
> john:*:197608:197121:U-JOHNDESKTOP\john,S-1-5-21-775725812-2182925691-3402384268-1000:/home/john:/bin/bash
> john:*:197608:197121:U-JOHNWL\john,S-1-5-21-2908258922-1501660359-1356206134-1000:/home/john:/bin/bash
Yep, that may indeed be the best option, with an entry for each samba server I connect to,
though I can't help feeling that the S-1-22-1-1000 option is the cleaner one...
Anyway, doing the above to the passwd file does work
#: john AT johndesktop:~ ; ls -l /cygdrive/l/.bashrc
-rw-r--r-- 1 john Unix_Group+1000 3833 Aug 22 2013 /cygdrive/l/.bashrc
Now I just need to get the group right. The ntsec help says to just set the comment on
the Users group to <cygwin unix="1000"/> (and restart all cygwin processes). I did this,
but it didn't seem to help - maybe because 'id' says my group is None, or because
net localgroup Users
doesn't mention me?
Since
net localgroup Administrators does mention me, I tried setting the comment on that group
instead - but no luck. Gah - frustrating stuff...
Any tips for the best way to fix my group mapping, given all this?
Maybe more entries in /etc/group, or changing out of None in my /etc/passwd entries?
Thank you again - we're almost there! (though the ntsec help might need some updating perhaps...)
John
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
- Raw text -