X-Recipient: archive-cygwin AT delorie DOT com X-Spam-Check-By: sourceware.org Date: Mon, 17 Oct 2011 10:36:40 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: Problems with mkpasswd and mkgroup Message-ID: <20111017083640.GE30527@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <20111014082932 DOT GA12878 AT calimero DOT vinschen DOT de> <1318839873 DOT 3370 DOT 14 DOT camel AT kare-desktop> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1318839873.3370.14.camel@kare-desktop> User-Agent: Mutt/1.5.21 (2010-09-15) Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com On Oct 17 10:24, Kåre Edvardsen wrote: > On fr., 2011-10-14 at 10:29 +0200, Corinna Vinschen wrote: > > On Oct 14 07:39, Edvardsen Kåre wrote: > > > > > > > What is the contents of the "/etc/password" and "/etc/group" files > > > > after you run the "mkpasswd/mkgroup" commands (as administrator)? > > > > > > > What user can log in, but isn't in the password file? > > > > > > > Is that user local or a domain user? > > > > > > The Windows account name with FULL admin privileges is "servicekonto" and cygwin was installed from this account which is locally on this client and NOT a domain user. > > > "kae026" is the user who can log in, but isn't in the password file. > > > "kae026" is a domain user. > > > > > > As admnistrator: > > > > > > $ mkpasswd -l -d > /etc/passwd > > > mkpasswd (427): [5] Access is denied. > > > [...] > > > $ mkgroup -l -d > /etc/group > > > mkgroup (369): [5] Access is denied. > > > > That's kind of clue, isn't it? You local administrator account > > doesn't have the permissions to enumerate the accounts in AD. > > Add the machine to the domain if you haven't done so already, > > log in with a domain account and call `mkpasswd -d >> /etc/passwd' > > and `mkgroup -d >> /etc/group'. Note that, depending on the > > security settings of your AD, not all domain users might have > > the permissions to enumerate domain accounts. If you login > > with a domain admin account, you should have no problem, though. > > > > > > Corinna > > > > What does it mean to enumerate an account in AD? (or what happens?) Calling the NetUserEnum/NetGroupEnum functions with the AD DC as the first parameter. See http://msdn.microsoft.com/en-us/library/aa370652%28VS.85%29.aspx http://msdn.microsoft.com/en-us/library/aa370428%28VS.85%29.aspx In both cases, see the "Remarks" section. > I guess it's a bad circle if my local admin account doesn't have the > permissions to enumerate the accounts in AD , and my domain account > doesn't have the permissions to install cygwin on the machine...if I > understand this right? That's why I said "login with a domain admin account", that avoids the problems. Also, there's no reason to believe that your normal domain account has no permissions to enumerate AD accounts. The default settings on Windows are so that all authenticated domain users have the right to enumerate AD accounts. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple