X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Mon, 17 Oct 2011 10:36:40 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Problems with mkpasswd and mkgroup
Message-ID: <20111017083640.GE30527@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <20111014082932 DOT GA12878 AT calimero DOT vinschen DOT de> <1318839873 DOT 3370 DOT 14 DOT camel AT kare-desktop>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1318839873.3370.14.camel@kare-desktop>
User-Agent: Mutt/1.5.21 (2010-09-15)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Oct 17 10:24, Kåre Edvardsen wrote:
> On fr., 2011-10-14 at 10:29 +0200, Corinna Vinschen wrote:
> > On Oct 14 07:39, Edvardsen Kåre wrote:
> > > 
> > > > What is the contents of the "/etc/password" and "/etc/group" files
> > > > after you run the "mkpasswd/mkgroup" commands (as administrator)?
> > > 
> > > > What user can log in, but isn't in the password file?
> > > 
> > > > Is that user local or a domain user?
> > > 
> > > The Windows account name with FULL admin privileges is "servicekonto" and cygwin was installed from this account which is locally on this client and NOT a domain user.
> > > "kae026" is the user who can log in, but isn't in the password file. 
> > > "kae026" is a domain user.
> > > 
> > > As admnistrator:
> > > 
> > > $ mkpasswd -l -d > /etc/passwd
> > > mkpasswd (427): [5] Access is denied.
> > > [...]
> > > $ mkgroup -l -d > /etc/group
> > > mkgroup (369): [5] Access is denied.
> > 
> > That's kind of clue, isn't it?  You local administrator account
> > doesn't have the permissions to enumerate the accounts in AD.
> > Add the machine to the domain if you haven't done so already,
> > log in with a domain account and call `mkpasswd -d >> /etc/passwd'
> > and `mkgroup -d >> /etc/group'.  Note that, depending on the
> > security settings of your AD, not all domain users might have
> > the permissions to enumerate domain accounts.  If you login
> > with a domain admin account, you should have no problem, though.
> > 
> > 
> > Corinna
> > 
> 
> What does it mean to enumerate an account in AD? (or what happens?)

Calling the NetUserEnum/NetGroupEnum functions with the AD DC as the
first parameter.  See
http://msdn.microsoft.com/en-us/library/aa370652%28VS.85%29.aspx
http://msdn.microsoft.com/en-us/library/aa370428%28VS.85%29.aspx
In both cases, see the "Remarks" section.

> I guess it's a bad circle if my local admin account doesn't have the
> permissions to enumerate the accounts in AD , and my domain account
> doesn't have the permissions to install cygwin on the machine...if I
> understand this right?

That's why I said "login with a domain admin account", that avoids
the problems.  Also, there's no reason to believe that your normal
domain account has no permissions to enumerate AD accounts.  The
default settings on Windows are so that all authenticated domain
users have the right to enumerate AD accounts.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple