X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	 q=dns; s=default; b=Ba4WzbJRxeH+ZgSzPyqcrgOK+f6VELsinAvON5ZixHY
	eqZ/8nLeHYkzMCSrFs/0k7y2M33gWE4QmU1QHhXhr7op26jZRtN5xx7wL/r7oEWT
	a7UGqp/CzxGBte9vztJqXPHangetaeaOY+kZo/HVVtii3Ih1SUxRxBhklVi0zqaI
	=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	 s=default; bh=Vbektfz/ginqruYEja3sV5QiKzk=; b=fnTLUlMs2+mbLeK4u
	UnNyUjFsm9sdY3GsK5ufHTDQfdC4OwlvV3aTgm2rYDRr4Gjbhzd1HWm7D0CM3HAz
	+my4LwzOHVD6YsPFPymCGjXVYODHJfLvXEithVo+2GfWxRjN0uy4eUoTZ1MlKRDh
	hA905LOGh4K0lFQzTSGUdtuDsk=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=0.6 required=5.0 tests=AWL,BAYES_00,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.2
X-HELO: mail1.bemta14.messagelabs.com
X-Env-Sender: Tim DOT Magee AT thales-esecurity DOT com
X-Msg-Ref: server-9.tower-27.messagelabs.com!1427187869!12588268!1
X-StarScan-Received:
X-StarScan-Version: 6.13.6; banners=-,-,-
X-VirusChecked: Checked
Message-ID: <5511289D.5030203@thales-esecurity.com>
Date: Tue, 24 Mar 2015 09:04:29 +0000
From: Tim Magee <Tim DOT Magee AT thales-esecurity DOT com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: mkpasswd: option to force the 'primary' domain?
References: <550C0B53 DOT 6080201 AT thales-esecurity DOT com> <20150320181011 DOT GB12906 AT calimero DOT vinschen DOT de>
In-Reply-To: <20150320181011.GB12906@calimero.vinschen.de>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes



On 20/03/15 18:10, Corinna Vinschen wrote:
> On Mar 20 11:58, Tim Magee wrote:
>> Now then,
>>
>> Since Cygwin 1.7.34 dropped, mkpasswd has been problematic for us.  Our
>> problem is with the way user names pulled from outside the primary domain
>> get decorated.  My question is: will there ever be a way to tell
>> mkpasswd/mkgroup "make <some non-primary domain> the one whose users get
>> undecorated names"?
>>
>> We have Windows machines in one AD domain, and all our users in a different
>> AD domain.  According to the 'POSIX accounts, permissions and security'
>> page, the machine's domain is considered the primary one. "mkpasswd -d" will
>> generate undecorated names for that domain, and decorated names for any
>> other named domain.
>>
>> We use SSH-based tools a great deal here, and we use Cygwin to make our
>> Windows machines behave like members of our POSIX machine community, so
>> having our usernames appear the same on all machines is very desirable.
>>
>> I think I can recreate the pre-1.74 behaviour with a little seddery, but I'd
>> bet folding money that my seddery isn't future-proof.  So, are
>> mkpasswd/mkgroup ever likely to get an option to force the "undecorated
>> users" domain?
>
> I'm not planning this.  The idea is that mkpasswd/mkgroup create account
> names compatible with the "db"-based accounts and everyhing else is left
> to post-creation manipulation.
>
> Having said that, the new account handling is supposed to be stable on
> the user level for quite some time, ideally at least as many years as
> the old /etc/passwd&/etc/group-only based code.  Therefore using some
> sed script to filter the output of mkpasswd/mkgroup if you dislike the
> new account handling is the way to go.
>
>
> Corinna
>
Thanks, I feel more confident of my seddery already!

In case anyone else with a similar setup reads this thread: using sed to 
trim off the domain decoration for the chosen domain is WFMing like a 
champ, but you'll want to make sure you're not creating name clashes. 
It's safe for us because we only have users we care about in one domain.

Tim


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple