Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Date: Thu, 28 Jul 2005 13:22:59 -0400 From: "Pierre A. Humblet" Subject: Re: 'id' groups listing conflicts w/'net group GROUPNAMEHERE /domain' To: , Reply-to: "Pierre A. Humblet" Message-id: <193d01c59399$052c8410$3e0010ac@wirelessworld.airvananet.com> MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Tom Rodman wrote: > The 'id' command indicates user staffuser1 is in group ABC_NA-CTX-Notepad-A. > I use this account 'staffuser1', and have no idea what group ABC_NA-CTX-Notepad-A > is; I do not think user staffuser1 is really in that group, but you could > prove me wrong (how?). > > This is causing problems in ssh sessions; Pierre A. Humblet supplied > me with a workaround: (http://cygwin.com/ml/cygwin/2005-07/msg01287.html). > How can we determine if user staffuser1 is or is not in group ABC_NA-CTX-Notepad-A? id reports the groups that are in the (Windows) process token, using http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/gettokeninformation.asp Somehow Windows put it there. The fact that net ... does not report it is consistent with your ssh troubles. When ssh asks Windows what groups you are part of, Windows does not include ABC_NA-CTX-Notepad-A However when ssh asks Windows to log you in (giving your password), Windows does include that group in the token. The discrepancy causes ssh to create another token, leading to your access troubles on shared drives. There is a remote chance (I have never observed something like that) that the group is in the token but not "enabled", or that SE_GROUP_USE_FOR_DENY_ONLY is set, or some such, see the special flags in http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/token_groups.asp You may also get a clue by looking at the content of your /tmp/foo001 You can easily find out the details by creating a short program using http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/getcurrentprocess.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/openprocesstoken.asp and gettokeninformation to list the groups in your token and understand what's going on. The group SID can be mapped to a name with http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/lookupaccountsid.asp Do you feel able to do that? Pierre -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/