| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; q=dns; s= | |
| default; b=WzU5PaQ3xv1hqI9UU8+JQphmUY3qVoZFgGNdvpB/uXcLMgrw/lsvM | |
| gTQjgAk5T+/21vS8SZrWmj1luu9ZSP+eCSuRk6SXQsZ4D21EkrcCxAi2Kylel1cM | |
| VUB3K2YVrAtJA8qtzB6lMNn0DYfHj+TRYl67ItPI3BPVoSYiju8x6Y= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :references:mime-version:content-type:in-reply-to; s=default; | |
| bh=phCsRMHJk1Oeqo8B/cmzhE789WA=; b=NwMGQ/ctVxpi7PDyWJt8WLIMBKZW | |
| AY8UCVEqmVeJsQc7sSoEtMPMg8P3B4/U78MO6sUZeZNdI8g12P8ro5KNjQuu1aNH | |
| ZCTv9xF5PO77P6fWkLXBMevfoOGMA4kR2kHVHrFrsKOE/yPai1qr6vHtnni8LBlY | |
| njLn78uiPRy/09s= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Spam-SWARE-Status: | No, score=-100.9 required=5.0 tests=BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=consists |
| X-HELO: | mout.kundenserver.de |
| Date: | Fri, 15 Feb 2019 17:38:17 +0100 |
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: Windows to Cygwin username mapping: Domain before local account when duplicate name? |
| Message-ID: | <20190215163817.GI2702@calimero.vinschen.de> |
| Reply-To: | cygwin AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| References: | <CANV9t=SNfgP-CA32yfPwLv2=d0F8xtpdCT4o_wwGFGE+F3SEuA AT mail DOT gmail DOT com> <50cba8d1-4794-8db9-d1f3-ab9476421db7 AT gmx DOT com> <CANV9t=QQ1higAt1qeDF4fckkz_6eqQJtdhau8+uhrAvGtWUK_A AT mail DOT gmail DOT com> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <CANV9t=QQ1higAt1qeDF4fckkz_6eqQJtdhau8+uhrAvGtWUK_A@mail.gmail.com> |
| User-Agent: | Mutt/1.10.1 (2018-07-13) |
--2FkSFaIQeDFoAt0B
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Feb 15 08:34, Bill Stewart wrote:
> On Fri, Feb 15, 2019 at 2:32 AM Sam Edge (Cygwin) wrote:
>=20
> > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-how explains
> > in more detail.
>=20
> I had already read that, and it seems to indicate that it asks the
> local machine first, but that doesn't seem to be happening when
> there's a duplication.
>=20
> I have a domain-joined machine, and I have a user account named
> testuser that exists on the local computer and also in the domain.
>=20
> 'getent passwd testuser' returns the domain account, not the local
> computer account.
>=20
> Hence the question.
There's a documented ruleset which is strictly followed
https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-how:
Well-known and builtin accounts will be named as in Windows:
"SYSTEM", "LOCAL", "Medium Mandatory Level", ...
If the machine is not a domain member machine, only local accounts can
be resolved into names, so for ease of use, just the account names are
used as Cygwin user/group names:
"corinna", "bigfoot", "None", ...
If the machine is a domain member machine, all accounts from the
primary domain of the machine are mapped to Cygwin names without
domain prefix:
"corinna", "bigfoot", "Domain Users", ...
while accounts from other domains are prepended by their domain:
"DOMAIN1+corinna", "DOMAIN2+bigfoot", "DOMAIN3+Domain Users", ...
Local machine accounts of a domain member machine get a Cygwin user
name the same way as accounts from another domain: The local machine
name gets prepended:
"MYMACHINE+corinna", "MYMACHINE+bigfoot", "MYMACHINE+None", ...
If LookupAccountSid fails, Cygwin checks the accounts against the
known trusted domains. If the account is from one of the trusted
domains, an artificial account name is created. It consists of the
domain name, and a special name created from the account RID:
"MY_DOM+User(1234)", "MY_DOM+Group(5678)"
Otherwise we know nothing about this SID, so it will be mapped to the
fake accounts Unknown+User/Unknown+Group with uid/gid -1
HTH,
Corinna
--=20
Corinna Vinschen
Cygwin Maintainer
--2FkSFaIQeDFoAt0B
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlxm6vgACgkQ9TYGna5E
T6BiYg/+IMNnPPgiLwjsI+3H5U8ICO8GAzyCtj+Urlp+kpcAQg/Koo1rsbVrG4gz
+nU2nVR+scXIKEl+SlyL2t4RUT9Zn675o6TSzhny9F1R6VByeyia5euH21LKwsIt
aT5I9YyYCUruyLD8hXaMO/+eZBc9eS4T4HdX83JyZAEyTsdVkLK5GfWmGvQ9Yspu
I0cRm0MSa3AKN90DqFd+Fuq1MBUiGi09KTqEhnFxqXP9icbu3IeXDaT2FlnzA4+g
w952WiHiW7HezbCvkQoh3KEAxqcuhIEOfF8cy9Bc6Pcdil/+ufgiMIJ2aXvRclsA
C8bWF+g9RMvRtKrE2+gXuCtirFM6hnQlJ8TLB5NfpS3vp34QDdrvmrB8qjTNHnwF
8654RCgjTYIqrWP1pID0LQpEMzbEx8NJgPklADQyRNVbsoBLvTrpX/kiDoGRhCBM
7vPCZYmP+wbEYfkMFfBPFn+M5tCJc8Z9uF4+RxfXDV3zDG67iLhDLkRFznTGLgT+
mhSzMno82zlcOMq0D0CASv0WKxRSt0QQwAHpODAbVj2odYTNx0nKemLgng3JfSDo
Jh1OFhN0FsQ2u5lf/Q4p9mqY4jS8SejKR3nQngiiwiwAxRZ9y11I44TvHi0OZ6Iz
K0FXNHBSldx9+e+ZpjFYRNSxxzWzU5HZfi4v9Q8FlU/ehdvxjGU=
=4Utn
-----END PGP SIGNATURE-----
--2FkSFaIQeDFoAt0B--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |