X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:subject:to:references:from:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=vMqfgywsgo5CO+lx 2BkAR/Qcc/yZxa+g1X+lVrOrJ1aKq+bjSF16pDU/+a0Uq7O5d4LgqAJMzLgNwN3c /eg/KIBPqUfEE8sC3/XMVdKx85tHo+ClqyMCWSxbOuNjXiVDgXfqkvuFZ+1GsAQP dhVr+1wOO8MZ8XRUNMu25HpiBUk= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:subject:to:references:from:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; s=default; bh=i9rks2Jd3VUqsFTpRzdVno MIEXQ=; b=ZtXqoGt0pVQxHcj5OQvbKZbCeBytZmN9o3r5Guy4kLtTYyp/f0wbDI H7HSu/IbooZZMm1KIzDs6BdLRRTjRgCkuK9TI/jNQOqm2uu2SwRGDdW7Kw0s5Tv5 yYMXS5rkjS3XFxI5QOy6rLIwU8+3Ei6fKTVC7uQb4rl4t7vQKRxcY= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-1.6 required=5.0 tests=BAYES_00,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.2 spammy=inglis, Inglis, reader, discretion X-HELO: smtp-out-no.shaw.ca Reply-To: Brian DOT Inglis AT SystematicSw DOT ab DOT ca Subject: Re: Windows to Cygwin username mapping: Domain before local account when duplicate name? To: cygwin AT cygwin DOT com References: <50cba8d1-4794-8db9-d1f3-ab9476421db7 AT gmx DOT com> <20190215163817 DOT GI2702 AT calimero DOT vinschen DOT de> <20190215202936 DOT GL2702 AT calimero DOT vinschen DOT de> <20190215204326 DOT GO2702 AT calimero DOT vinschen DOT de> From: Brian Inglis Openpgp: preference=signencrypt Message-ID: <3bace8f4-1097-9245-10e9-1ed54d1014f3@SystematicSw.ab.ca> Date: Fri, 15 Feb 2019 14:38:14 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes On 2019-02-15 13:59, Bill Stewart wrote: > On Fri, Feb 15, 2019 at 1:43 PM Corinna Vinschen wrote: >> More specific as the original text? I'm hard pressed to accomplish >> that. Take note of the "domain member machine" property. > I think I see the problem. The list I posted (above the one you are > apparently referring to) has the search in a different order. > The section that starts with "Let's discuss the SID<=>uid/gid mapping > first. Here's how it works." states this order: > * Well-known SIDs in the NT_AUTHORITY domain of the S-1-5-RID type > * Other well-known SIDs in the NT_AUTHORITY domain (S-1-5-X-RID) > * Other well-known SIDs > * Logon SIDs > * Accounts from the local machine's user DB (SAM) > * Accounts from the machine's primary domain > * Accounts from a trusted domain of the machine's primary domain > In this list, local machine accounts are listed before domain accounts. > Underneath that, there's a second section with examples that starts > with "Now we have a semi-bijective mapping..." that has this order: > * Well-known and builtin accounts will be named as in Windows: > "SYSTEM", "LOCAL", "Medium Mandatory Level", ... > * If the machine is not a domain member machine, only local accounts > can be resolved into names, so for ease of use, just the account names > are used as Cygwin user/group names: > "corinna", "bigfoot", "None", ... > * If the machine is a domain member machine, all accounts from the > primary domain of the machine are mapped to Cygwin names without > domain prefix: > "corinna", "bigfoot", "Domain Users", ... > while accounts from other domains are prepended by their domain: > "DOMAIN1+corinna", "DOMAIN2+bigfoot", "DOMAIN3+Domain Users", ... > * Local machine accounts of a domain member machine get a Cygwin user > name the same way as accounts from another domain: The local machine > name gets prepended: > "MYMACHINE+corinna", "MYMACHINE+bigfoot", "MYMACHINE+None", ... > * If LookupAccountSid fails, Cygwin checks the accounts against the > known trusted domains. If the account is from one of the trusted > domains, an artificial account name is created. It consists of the > domain name, and a special name created from the account RID: > In the second list, it says domains are first before the local machine. > I was assuming the first section is an orderly sequence of searching, > since that's usually how Windows works. > The second section with the examples seems to be a different order, > and would seems to be the order Cygwin actually uses. > I was just wondering if that's by design or by accident, since it's > different from the typical order. What it says is that an unprefixed name in a domain defaults to the name as if prefixed by the primary domain, so if you want the local SAM entry on a domain machine ($USERDOMAIN != $COMPUTERNAME), you must prefix the name with the local machine name followed by "+". Should the local machine name provided be $COMPUTERNAME or $HOSTNAME? Windows normally allows "." to be used to refer to the local machine name in a domain context - can anyone confirm or deny whether this works in Cygwin or with getent? -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple