X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-0.2 required=5.0	tests=AWL,BAYES_50,RP_MATCHES_RCVD,TW_MK
X-Spam-Check-By: sourceware.org
Message-ID: <4E28FEDC.5080306@tlinx.org>
Date: Thu, 21 Jul 2011 21:38:52 -0700
From: Linda Walsh <cygwin AT tlinx DOT org>
Reply-To: Linda Walsh <cygwin AT tlinx DOT org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.24) Gecko/20100228 Thunderbird/2.0.0.24 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Subject: I'm confused, ... domain vs. local account mappings (why diffs, how to control mappings?)
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com




For various reasons (config changes, upgrading to newer
version of samba, phase of the moon, dumb-luck/random
chance, after a latest round of samba-setup config
auditing (amongst other things),
I'm no longer getting  "device attached to sys not functioning"

(originally reported http://cygwin.com/ml/cygwin/2010-07/msg00289.html)

Now I get output that I'm not exactly sure how to interpret.

--- first local, which by itself seems almost normal):
(I split long lines and indented the continuations, also sub'ed
the long sys-uniq# with 11111-22222-11111 for my local sys.
I use a different ## for my domain further on, down, below.
(I also sorted them by UID)

# mkpasswd -l:
SYSTEM:*:18:544:,S-1-5-18::
LocalService:*:19:544:U-NT AUTHORITY\LocalService,S-1-5-19::
NetworkService:*:20:544:U-NT AUTHORITY\NetworkService,S-1-5-20::
Guest:unused:501:513:U-athenae\Guest,\
    S-1-5-21-11111-22222-11111-501:/home/Guest:/bin/bash
root:unused:500:513:Athenae Admin,U-athenae\root,\
    S-1-5-21-11111-22222-11111-500:/home/root:/bin/bash
Administrators:*:544:544:,S-1-5-32-544::
law:unused:1001:513:L A Walsh,U-athenae\law,\
    S-1-5-21-11111-22222-11111-1001:/home/law:/bin/bash


# mkgroup -l
SYSTEM:S-1-5-18:18:
None:S-1-5-21-11111-22222-11111-513:513:
Administrators:S-1-5-32-544:544:
Users:S-1-5-32-545:545:
Guests:S-1-5-32-546:546:
Power Users:S-1-5-32-547:547:
Backup Operators:S-1-5-32-551:551:
Replicator:S-1-5-32-552:552:
Remote Desktop Users:S-1-5-32-555:555:
Network Configuration Operators:S-1-5-32-556:556:
Performance Monitor Users:S-1-5-32-558:558:
Performance Log Users:S-1-5-32-559:559:
Distributed COM Users:S-1-5-32-562:562:
IIS_IUSRS:S-1-5-32-568:568:
Cryptographic Operators:S-1-5-32-569:569:
Event Log Readers:S-1-5-32-573:573:
lawgroup:S-1-5-21-11111-22222-11111-1005:1005:
---
so above looks ok, -- several builtin entries, and some
added local entries.

Now the Domain entries:

# mkpasswd -D:
BLISS\root:unused:10500:10513:root,U-BLISS\root,
    S-1-5-21-33333-77777-33333-500://BLISS/root:/bin/bash
BLISS\law:unused:90026:71008:L A Walsh,U-BLISS\law,\
    S-1-5-21-33333-77777-33333-80026://BLISS/law:/bin/bash

#mkgroup -D:
SYSTEM:S-1-5-18:18:
Print Operators:S-1-5-32-550:550:
Replicator:S-1-5-32-552:552:
Administrators:S-1-5-32-544:544:
Users:S-1-5-32-545:545:
Guests:S-1-5-32-546:546:
Power Users:S-1-5-32-547:547:
Account Operators:S-1-5-32-548:548:
Server Operators:S-1-5-32-549:549:
Backup Operators:S-1-5-32-551:551:
RAS Servers:S-1-5-32-553:553:
BLISS\Domain Admins:S-1-5-21-33333-77777-33333-512:10512:
BLISS\Domain Controllers:S-1-5-21-33333-77777-33333-516:10516:
BLISS\Juno:S-1-5-21-33333-77777-33333-1462:11005:
BLISS\media:S-1-5-21-33333-77777-33333-1017:11017:
BUILTIN\Backup Operators:S-1-5-32-551:11018:
BLISS\man:S-1-5-21-33333-77777-33333-1028:11028:
BLISS\Trusted Local Net Users:S-1-5-21-33333-77777-33333-50002:60002:
BLISS\lawgroup:S-1-5-21-33333-77777-33333-61008:71008:
BLISS\scan:S-1-5-21-33333-77777-33333-70464:80464:



Comments:
1) local user 'law', 'root' and 'guest' are all in '513'
Sid  "S-1-5-21----513" is a "well known sid" for 'Domain Users'
(why it shows up as a group labeled 'non' with my local
computers id in the computer part, is confusing.

2) 'law' is in 'lawgroup' (one good thing!)
But Domain user 'root' is in group 10513, which is sorta 'broken'
like the local users mapping to 513.  It probably should have
mapped to '10512'? 
 
3) Why 2 Backup Operators? -- Backup Operators mapping
correctly from Sid S---551->551.
   but 'builtin\backup operators, (also 512, mapping to a different
domain-mapped UID on the local machine).

I do have Domain Admins, -512, but they aren't being mapped
to the correct local GID of '512'...
Same goes for 'Domain Controllers' (516->10516)
----
Conflicts?
Or design (I hope?, but how to fix the broken parts?)
Note there is a larger overlap of unprefixed groups from
the local and domain listing.  None conflict if they were
merged with dups removed, but some are in the Domain
listing, while others are only in the local listing.

So -- I take it the low-numbered groups are not prefixed because
the somehow have a "WELL KNOWN SID" property attached to them?

Hoping/presuming that's the case, how can I map the
3 domain groups:
'Domains Admins'  (i.e. 10512 -> 512)
'Domain Controllers' (10516 -> 516)
builtin/backup operators -> backup operators

(i.e. did I miss setting some 'built-in' flag somewhere?)

or, how do I prevent cygwin from adding anything to the
UID's, that way, I can have the same mapping from the DC?

(as the DC, running samba, has already done a block-jump
mapping of UID's into a higher level)....

---
Guess that's the main Q how to have cygwin not add to the
UID's -- that way Domain Administrator would map to Administrator,
which is also 'correct' for Admins on Domain joined machines
(IF memory serves me correctly, I could see that making sense
as well -- as in a domain, as domain policy can lockdown/control
member machines, it could also disable local admin accounts if that
was wanted...)...

In my situation would there be any great risk in removing that offset, 
since it seems to be preventing some logins/groups from
properly mapping, within cygwin they way they should....


Certainly, would like to get my 'Bliss\law acct to have the same
UID as what is seen on my network shares...would make life
so much more integrous**....

** -- a word in need or more usage!  
(http://en.wiktionary.org/wiki/integrous)












--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple