X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:message-id:in-reply-to:references :subject:mime-version:content-type:content-transfer-encoding; q= dns; s=default; b=wWCwQXl8wR3QK+Z4+lG1iGo/UHzXOYQqU6egSda6FP7Rn8 knINCtdEe9qgcSmDZB0WIpSP8Zj6XWefxVupbnzzVLCyOqgFGUJebHi2XOrs1+AN fw910khzOdbUXSBWYZyJLc+x8/NzNLyDTzslNd+tXe9bVLhoh1B52QpNEshZE= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:message-id:in-reply-to:references :subject:mime-version:content-type:content-transfer-encoding; s= default; bh=h0n4hLaGB/qlErML4cwnh+nmu2Y=; b=T+vgx7tei3WTNOOdNxxC H9F9XujzUtyL5Zx9qVL0wBvcQaxUeVzw9f/5l8NYck3FGXbwGa6pF9BEvckSwTRn TQZ8s+4ma6MNVujDX1B7dxBYi7a1/5EokUBwuLgR0Dp9OpHfr2J2FWWAmnmlrpQn dXF23bs2LerbT9z/Mn9VoY4= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=1.4 required=5.0 tests=AWL,BAYES_50,SPF_PASS,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-HELO: zimbra-new.ceos.com.au Date: Fri, 24 Apr 2015 11:24:28 +1000 (EST) From: John Orr To: cygwin Message-ID: <940053103.236275.1429838668520.JavaMail.zimbra@ceos.com.au> In-Reply-To: <20150423080445.GE3657@calimero.vinschen.de> References: <1883631812 DOT 201190 DOT 1429592754813 DOT JavaMail DOT zimbra AT ceos DOT com DOT au> <20150421085053 DOT GW3657 AT calimero DOT vinschen DOT de> <1277097406 DOT 207429 DOT 1429664315268 DOT JavaMail DOT zimbra AT ceos DOT com DOT au> <20150422084333 DOT GA3657 AT calimero DOT vinschen DOT de> <1756410182 DOT 228840 DOT 1429755696338 DOT JavaMail DOT zimbra AT ceos DOT com DOT au> <55386C07 DOT 7050400 AT gmail DOT com> <20150423080445 DOT GE3657 AT calimero DOT vinschen DOT de> Subject: Re: File owner set to Unknown+User on cygwin 1.7.35 via samba 3.6.6 on debian MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes > On Apr 22 20:50, random user wrote: >> >> On 4/22/2015 7:21 PM, John Orr wrote: ... >> >> Would I be right in guessing that your samba server is doing >> authentication using a /etc/samba/smbpasswd file? >> >> If that is the case, the output you show matches my experience. Files >> with owner matching the logged in user in such a case one end up with >> an owner SID like the >> >> S-1-5-21-2908258922-1501660359-1356206134-1000 >> >> seen in your output, as if it is a local user defined only by the >> samba server itself. (It seems tied to neither my Unix userid nor my >> Windows Domain SID, it just seems as if the samba server pretends to >> be a local Windows OS with its own set of users.) >> >> For users and groups not defined in smbpasswd (or maybe it's for all >> except for file owner matching the logged in user), the SIDs do show >> up in the S-1-5-22- Unix_User+/Unix_Group+ form. >> >> I'll leave it at that; hopefully more capable hands can help you >> choose how to then deal with these SIDs. > > That's a very good point and sounds like a very likely cause for this > problem. The fact that the GUI shows "JOHNWL\john" seems like a very > good hint. Thanks very much, er, Random, for that tip - great call. > Here's the problem: Cygwin's automatism can't resolve this SID, > and the methods implemented in the account handling can't help with > that. > > The reason is this: When you ask the Windows GUI for the ACL of a file, > it knows whom to ask for the SIDs. It's either a SID it knows anyway > (builtin, SAM, AD), or it asks the underlying server of the share. > > However, the account handling in Cygwin is decoupled from the code > fetching file ACLs. It ony generically cares for passwd and group > entries, and it only knows to ask SAM or AD for the SID. It has no > connection to the server serving the share. This *might* be possible, > but code for that just isn't there. Thanks for the explanation. I'm fairly new to Samba, but I googled "samba setup" and three of the first four results talked about using smbpasswd - so I'd presume this would be a reasonably common situation (unless winbind is used?). I'm rather curious what conditions cause Samba to return S-1-22-1-1000 - the ntsec help says "unmapped accounts" get that. I presume there's another authentication method I could be using, besides smbpasswd, that allows authentication without an account mapping? > What you can do to workaround this problem is either to change Samba > so as not to return the above SID for the user with UID 1000, but the > default SID S-1-22-1-1000. I'm not sure how to do this. I tried #: john AT johnwl:~ ; sudo pdbedit -u john -U S-1-22-1-1000 tdb_update_sam: struct samu (john) with no RID! Unable to modify entry! but that didn't work. I've not found good help on this, but I think perhaps the -U argument, whose help text is "set user SID or RID" is really only expecting an RID. I tried instead setting my samba machine SID to match my cygwin machine SID, with sudo net setlocalsid S-1-5-21-775725812-2182925691-3402384268 and that worked. Since my samba RID is still 1000, (and after restarting smbd), that did indeed produce #: john AT johndesktop:~ ; ls -l /cygdrive/l/.bashrc -rw-r--r-- 1 john Unix_Group+1000 3833 Aug 22 2013 /cygdrive/l/.bashrc i.e. the user is now mapping successfully. The only problem is that in our organization, without a domain, every user will have a different machine SID for their windows machine, and the samba setup on common servers can only pick one of those. Just in case, I tried setting the local samba SID to maybe force Samba to return S-1-22-1-1000 for me: #: john AT johnwl:~ ; sudo net setlocalsid S-1-22-1 Usage: net setlocalsid S-1-5-21-x-y-z Alas, it saw through my cunning plan. Any other suggestions on how to get Samba to return S-1-22-1-1000? > Or, in Cygwin, you just keep a passwd file > with two entries around. These entries should be equivalent to the > output of `getent passwd $USER', so just copy/paste it twice. Then > tweak the SID of the second entry to match the above SID. The end result > should be: > > john:*:197608:197121:U-JOHNDESKTOP\john,S-1-5-21-775725812-2182925691-3402384268-1000:/home/john:/bin/bash > john:*:197608:197121:U-JOHNWL\john,S-1-5-21-2908258922-1501660359-1356206134-1000:/home/john:/bin/bash Yep, that may indeed be the best option, with an entry for each samba server I connect to, though I can't help feeling that the S-1-22-1-1000 option is the cleaner one... Anyway, doing the above to the passwd file does work #: john AT johndesktop:~ ; ls -l /cygdrive/l/.bashrc -rw-r--r-- 1 john Unix_Group+1000 3833 Aug 22 2013 /cygdrive/l/.bashrc Now I just need to get the group right. The ntsec help says to just set the comment on the Users group to (and restart all cygwin processes). I did this, but it didn't seem to help - maybe because 'id' says my group is None, or because net localgroup Users doesn't mention me? Since net localgroup Administrators does mention me, I tried setting the comment on that group instead - but no luck. Gah - frustrating stuff... Any tips for the best way to fix my group mapping, given all this? Maybe more entries in /etc/group, or changing out of None in my /etc/passwd entries? Thank you again - we're almost there! (though the ntsec help might need some updating perhaps...) John -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple