Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Thu, 28 Jul 2005 13:22:59 -0400
From: "Pierre A. Humblet" <Pierre DOT Humblet AT ieee DOT org>
Subject: Re: 'id' groups listing conflicts w/'net group GROUPNAMEHERE /domain'
To: <cygwin AT trodman DOT com>, <cygwin AT cygwin DOT com>
Reply-to: "Pierre A. Humblet" <Pierre DOT Humblet AT ieee DOT org>
Message-id: <193d01c59399$052c8410$3e0010ac@wirelessworld.airvananet.com>
MIME-version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 7bit

Tom Rodman wrote:

> The 'id' command indicates user staffuser1 is in group ABC_NA-CTX-Notepad-A.
> I use this account 'staffuser1', and have no idea what group ABC_NA-CTX-Notepad-A
> is; I do not think user staffuser1 is really in that group, but you could
> prove me wrong (how?).
> 
> This is causing problems in ssh sessions; Pierre A. Humblet supplied
>  me with a workaround: (http://cygwin.com/ml/cygwin/2005-07/msg01287.html).
    
> How can we determine if user staffuser1 is or is not in group ABC_NA-CTX-Notepad-A?

id reports the groups that are in the (Windows) process token, using
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/gettokeninformation.asp
Somehow Windows put it there.

The fact that net ... does not report it is consistent with your ssh troubles.
When ssh asks Windows what groups you are part of, Windows does
not include ABC_NA-CTX-Notepad-A 
However when ssh asks Windows to log you in (giving your password),
Windows does include that group in the token. The discrepancy causes
ssh to create another token, leading to your access troubles on shared drives. 

There is a remote chance (I have never observed something like that) that
the group is in the token but not "enabled", or that SE_GROUP_USE_FOR_DENY_ONLY
is set, or some such, see the special flags in
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/token_groups.asp
You may also get a clue by looking at the content of your /tmp/foo001

You can easily find out the details by creating a short program using
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/getcurrentprocess.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/openprocesstoken.asp
and gettokeninformation to list the groups in your token and understand what's going on.
The group SID can be mapped to a name with
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/lookupaccountsid.asp
Do you feel able to do that?

Pierre




--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/