Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Message-Id: <200507282036.j6SKaVFO029967@tigris.pounder.sol.net> From: cygwin AT trodman DOT com (Tom Rodman) To: cygwin AT cygwin DOT com Subject: Re: 'id' groups listing conflicts w/'net group GROUPNAMEHERE /domain' In-reply-to: <193d01c59399$052c8410$3e0010ac@wirelessworld.airvananet.com> References: <193d01c59399$052c8410$3e0010ac AT wirelessworld DOT airvananet DOT com> Date: Thu, 28 Jul 2005 15:36:30 -0500 X-IsSubscribed: yes Thank you again Pierre. I appreciate the increased rights ;-> It fixed up more than just the net drive issue, a couple of my database admin commands that were failing, now work again in an ssh session. see comments below -- regards, Tom On Thu 7/28/05 13:22 EDT "Pierre A. Humblet" wrote: > Tom Rodman wrote: > > > The 'id' command indicates user staffuser1 is in group ABC_NA-CTX-Notepad-A. > > I use this account 'staffuser1', and have no idea what group ABC_NA-CTX-Notepad-A > > is; I do not think user staffuser1 is really in that group, but you could > > prove me wrong (how?). > > > > This is causing problems in ssh sessions; Pierre A. Humblet supplied > > me with a workaround: (http://cygwin.com/ml/cygwin/2005-07/msg01287.html). > > > How can we determine if user staffuser1 is or is not in group ABC_NA-CTX-Notepad-A? > > id reports the groups that are in the (Windows) process token, using > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/gettokeninformation.asp > Somehow Windows put it there. > > The fact that net ... does not report it is consistent with your ssh troubles. > When ssh asks Windows what groups you are part of, Windows does > not include ABC_NA-CTX-Notepad-A > However when ssh asks Windows to log you in (giving your password), > Windows does include that group in the token. The discrepancy causes > ssh to create another token, leading to your access troubles on shared drives. > > There is a remote chance (I have never observed something like that) that > the group is in the token but not "enabled", or that SE_GROUP_USE_FOR_DENY_ONLY > is set, or some such, see the special flags in > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/token_groups.asp > You may also get a clue by looking at the content of your /tmp/foo001 The users in /tmp/foo001 mean little to me. I did recognize one person I know out of the ~86 usernames, so maybe I'll talk to him about the group's purpose and human "creator". The domain we're in is large - (many thousands of users), and 'mkpasswd -d -l' fails because it's so large, so I run 'mkpasswd -l', and then individual 'mkpasswd -d -u USERNAME' for our all the end users I support, and cat all these to /etc/passwd in a daily cron job. > > You can easily find out the details by creating a short program using > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/getcurrentprocess.asp > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/openprocesstoken.asp > and gettokeninformation to list the groups in your token and understand what's going on. > The group SID can be mapped to a name with > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/lookupaccountsid.asp > Do you feel able to do that? I have not had time to thoughly look at your links, but my hunch is that I will need help writing the program(s) - and that I can get that help here where I work. I will keep the mailing list updated, but I expect it may take awhile; meanwhile I'll use the workaround. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/