gid doesn't display correctly on SAMBA share using AD
Using the latest cygwin: $ cygcheck -c cygwin Cygwin Package Information Package VersionStatus cygwin 1.7.34-6 OK I've asked my admin to update the uidNumber and gidNumber in AD. He has done so: DistinguishedName : CN=build,OU=GroupAccounts,OU=Users,OU=Cambridge,DC=iscinternal,DC=com Enabled : True gidNumber : 999 GivenName : build Name : build ObjectClass : user ObjectGUID: 0901b540-b044-437f-a167-53e1453eab94 SamAccountName: build SID : S-1-5-21-112145844-1872675854-1690816760-17189 Surname : uidNumber : 56191 UserPrincipalName : bu...@iscinternal.com The username displays correctly, but the group name does not: $ ls -la foo -rw-rw-r-- 1 build Unix_Group+999 0 Feb 25 10:52 foo And this is confirmed by running getent: $ getent passwd build build:*:1065765:1049089:U-ISCINTERNAL\build,S-1-5-21-112145844-1872675854-1690816760-17189:/home/build:/bin/bash $ getent passwd group I've read https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-gecos 'til I'm blue in the face, and I think this should work. What am I missing? How can I debug? -- -Len -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: gid doesn't display correctly on SAMBA share using AD
On Feb 25 11:01, Len Giambrone wrote: > Using the latest cygwin: > > $ cygcheck -c cygwin > Cygwin Package Information > Package VersionStatus > cygwin 1.7.34-6 OK > > I've asked my admin to update the uidNumber and gidNumber in AD. He has > done so: > > DistinguishedName : > CN=build,OU=GroupAccounts,OU=Users,OU=Cambridge,DC=iscinternal,DC=com > > Enabled : True > > gidNumber : 999 > > GivenName : build > > Name : build > > ObjectClass : user > > ObjectGUID: 0901b540-b044-437f-a167-53e1453eab94 > > SamAccountName: build > > SID : S-1-5-21-112145844-1872675854-1690816760-17189 > > Surname : > > uidNumber : 56191 > > UserPrincipalName : bu...@iscinternal.com > > > The username displays correctly, but the group name does not: > > $ ls -la foo > -rw-rw-r-- 1 build Unix_Group+999 0 Feb 25 10:52 foo > > And this is confirmed by running getent: > > $ getent passwd build > build:*:1065765:1049089:U-ISCINTERNAL\build,S-1-5-21-112145844-1872675854-1690816760-17189:/home/build:/bin/bash > > $ getent passwd group > > I've read > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-gecos > 'til I'm blue in the face, and I think this should work. > What am I missing? How can I debug? If your admin changed your user account to have a gidNumber 999 only, then that won't help, Consider: Cygwin tries to find a group with gidNumber set to 999. How is it supposed to evaluate the right gidNumber value from some arbitrary user account? What Cygwin needs to get the right connection between a Windows group and a gidNumber value is that the *group* entry in AD itself has the gidNumber set to the right value. I don't know if that's really the problem in your case, but that seems the most likely. Please report back. I'm excited that I'm not the only one interested in getting this connection between unix and windows ids working :) Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat pgpc9HBXomu7n.pgp Description: PGP signature
Re: gid doesn't display correctly on SAMBA share using AD
On 02/25/2015 11:18 AM, Corinna Vinschen wrote: On Feb 25 11:01, Len Giambrone wrote: Using the latest cygwin: $ cygcheck -c cygwin Cygwin Package Information Package VersionStatus cygwin 1.7.34-6 OK I've asked my admin to update the uidNumber and gidNumber in AD. He has done so: DistinguishedName : CN=build,OU=GroupAccounts,OU=Users,OU=Cambridge,DC=iscinternal,DC=com Enabled : True gidNumber : 999 GivenName : build Name : build ObjectClass : user ObjectGUID: 0901b540-b044-437f-a167-53e1453eab94 SamAccountName: build SID : S-1-5-21-112145844-1872675854-1690816760-17189 Surname : uidNumber : 56191 UserPrincipalName : bu...@iscinternal.com The username displays correctly, but the group name does not: $ ls -la foo -rw-rw-r-- 1 build Unix_Group+999 0 Feb 25 10:52 foo And this is confirmed by running getent: $ getent passwd build build:*:1065765:1049089:U-ISCINTERNAL\build,S-1-5-21-112145844-1872675854-1690816760-17189:/home/build:/bin/bash $ getent passwd group I've read https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-gecos 'til I'm blue in the face, and I think this should work. What am I missing? How can I debug? If your admin changed your user account to have a gidNumber 999 only, then that won't help, Consider: Cygwin tries to find a group with gidNumber set to 999. How is it supposed to evaluate the right gidNumber value from some arbitrary user account? What Cygwin needs to get the right connection between a Windows group and a gidNumber value is that the *group* entry in AD itself has the gidNumber set to the right value. I don't know if that's really the problem in your case, but that seems the most likely. Please report back. I'm excited that I'm not the only one interested in getting this connection between unix and windows ids working :) It worked. :) Now I just have to persuade my admin to populate uidNumber and gidNumber for all our current and new users... Corinna -- -Len -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: gid doesn't display correctly on SAMBA share using AD
On Feb 25 11:51, Len Giambrone wrote: > On 02/25/2015 11:18 AM, Corinna Vinschen wrote: > >On Feb 25 11:01, Len Giambrone wrote: > >>[...] > >>The username displays correctly, but the group name does not: > >> > >>$ ls -la foo > >>-rw-rw-r-- 1 build Unix_Group+999 0 Feb 25 10:52 foo > >> > >>And this is confirmed by running getent: > >> > >>$ getent passwd build > >>build:*:1065765:1049089:U-ISCINTERNAL\build,S-1-5-21-112145844-1872675854-1690816760-17189:/home/build:/bin/bash > >> > >>$ getent passwd group > >> > >>I've read > >>https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-gecos > >>'til I'm blue in the face, and I think this should work. > >>What am I missing? How can I debug? > >If your admin changed your user account to have a gidNumber 999 only, > >then that won't help, Consider: Cygwin tries to find a group with > >gidNumber set to 999. How is it supposed to evaluate the right > >gidNumber value from some arbitrary user account? > > > >What Cygwin needs to get the right connection between a Windows group > >and a gidNumber value is that the *group* entry in AD itself has the > >gidNumber set to the right value. > > > >I don't know if that's really the problem in your case, but that seems > >the most likely. > > > >Please report back. I'm excited that I'm not the only one interested > >in getting this connection between unix and windows ids working :) > > It worked. :) Now I just have to persuade my admin to populate uidNumber > and gidNumber for all our current and new users... I'm glad to read that. Thanks for your feedback! Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat pgp4ZGSOTmpW3.pgp Description: PGP signature
Re: gid doesn't display correctly on SAMBA share using AD
On 02/25/2015 12:20 PM, Corinna Vinschen wrote: On Feb 25 11:51, Len Giambrone wrote: On 02/25/2015 11:18 AM, Corinna Vinschen wrote: On Feb 25 11:01, Len Giambrone wrote: [...] The username displays correctly, but the group name does not: $ ls -la foo -rw-rw-r-- 1 build Unix_Group+999 0 Feb 25 10:52 foo And this is confirmed by running getent: $ getent passwd build build:*:1065765:1049089:U-ISCINTERNAL\build,S-1-5-21-112145844-1872675854-1690816760-17189:/home/build:/bin/bash $ getent passwd group I've read https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-gecos 'til I'm blue in the face, and I think this should work. What am I missing? How can I debug? If your admin changed your user account to have a gidNumber 999 only, then that won't help, Consider: Cygwin tries to find a group with gidNumber set to 999. How is it supposed to evaluate the right gidNumber value from some arbitrary user account? What Cygwin needs to get the right connection between a Windows group and a gidNumber value is that the *group* entry in AD itself has the gidNumber set to the right value. I don't know if that's really the problem in your case, but that seems the most likely. Please report back. I'm excited that I'm not the only one interested in getting this connection between unix and windows ids working :) It worked. :) Now I just have to persuade my admin to populate uidNumber and gidNumber for all our current and new users... I'm glad to read that. Thanks for your feedback! If I can't get my admin to cooperate, then I have to resort to using mkpasswd/mkgroup -U. But this gives output like this: $ ls -la foo -rw-rw-r-- 1 Unix_User+build Unix_Group+releng 0 Feb 25 10:52 foo Is that expected? (The Unix_User+/Unix_Group+ prefix). Corinna -- -Len -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: gid doesn't display correctly on SAMBA share using AD
On Feb 25 12:26, Len Giambrone wrote: > > On 02/25/2015 12:20 PM, Corinna Vinschen wrote: > >On Feb 25 11:51, Len Giambrone wrote: > >>On 02/25/2015 11:18 AM, Corinna Vinschen wrote: > >>>On Feb 25 11:01, Len Giambrone wrote: > [...] > The username displays correctly, but the group name does not: > > $ ls -la foo > -rw-rw-r-- 1 build Unix_Group+999 0 Feb 25 10:52 foo > > And this is confirmed by running getent: > > $ getent passwd build > build:*:1065765:1049089:U-ISCINTERNAL\build,S-1-5-21-112145844-1872675854-1690816760-17189:/home/build:/bin/bash > > $ getent passwd group > > I've read > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-gecos > 'til I'm blue in the face, and I think this should work. > What am I missing? How can I debug? > >>>If your admin changed your user account to have a gidNumber 999 only, > >>>then that won't help, Consider: Cygwin tries to find a group with > >>>gidNumber set to 999. How is it supposed to evaluate the right > >>>gidNumber value from some arbitrary user account? > >>> > >>>What Cygwin needs to get the right connection between a Windows group > >>>and a gidNumber value is that the *group* entry in AD itself has the > >>>gidNumber set to the right value. > >>> > >>>I don't know if that's really the problem in your case, but that seems > >>>the most likely. > >>> > >>>Please report back. I'm excited that I'm not the only one interested > >>>in getting this connection between unix and windows ids working :) > >>It worked. :) Now I just have to persuade my admin to populate uidNumber > >>and gidNumber for all our current and new users... > >I'm glad to read that. Thanks for your feedback! > > If I can't get my admin to cooperate, then I have to resort to using > mkpasswd/mkgroup -U. But this gives output like this: > > $ ls -la foo > -rw-rw-r-- 1 Unix_User+build Unix_Group+releng 0 Feb 25 10:52 foo > > Is that expected? (The Unix_User+/Unix_Group+ prefix). Yes, that's expected. After all, they are users different from your Windows account, see the SIDs. If you don't want the prefix, you can still override this by manually dropping the prefixes, along the lines of what you could already do in the former implementation. Should be a last resort, of course. The other, better way not restricted to Cygwin is to install Samba's winbind. It just doesn't help for existing UNIX accounts, afaics. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat pgp4jBgYH_dac.pgp Description: PGP signature
Re: gid doesn't display correctly on SAMBA share using AD
On 02/25/2015 12:34 PM, Corinna Vinschen wrote: On Feb 25 12:26, Len Giambrone wrote: On 02/25/2015 12:20 PM, Corinna Vinschen wrote: On Feb 25 11:51, Len Giambrone wrote: On 02/25/2015 11:18 AM, Corinna Vinschen wrote: On Feb 25 11:01, Len Giambrone wrote: [...] The username displays correctly, but the group name does not: $ ls -la foo -rw-rw-r-- 1 build Unix_Group+999 0 Feb 25 10:52 foo And this is confirmed by running getent: $ getent passwd build build:*:1065765:1049089:U-ISCINTERNAL\build,S-1-5-21-112145844-1872675854-1690816760-17189:/home/build:/bin/bash $ getent passwd group I've read https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-gecos 'til I'm blue in the face, and I think this should work. What am I missing? How can I debug? If your admin changed your user account to have a gidNumber 999 only, then that won't help, Consider: Cygwin tries to find a group with gidNumber set to 999. How is it supposed to evaluate the right gidNumber value from some arbitrary user account? What Cygwin needs to get the right connection between a Windows group and a gidNumber value is that the *group* entry in AD itself has the gidNumber set to the right value. I don't know if that's really the problem in your case, but that seems the most likely. Please report back. I'm excited that I'm not the only one interested in getting this connection between unix and windows ids working :) It worked. :) Now I just have to persuade my admin to populate uidNumber and gidNumber for all our current and new users... I'm glad to read that. Thanks for your feedback! If I can't get my admin to cooperate, then I have to resort to using mkpasswd/mkgroup -U. But this gives output like this: $ ls -la foo -rw-rw-r-- 1 Unix_User+build Unix_Group+releng 0 Feb 25 10:52 foo Is that expected? (The Unix_User+/Unix_Group+ prefix). Yes, that's expected. After all, they are users different from your Windows account, see the SIDs. That's what I thought. If you don't want the prefix, you can still override this by manually dropping the prefixes, along the lines of what you could already do in the former implementation. Should be a last resort, of course. I actually tried that; I removed the Unix_User/Group+ prefix from the passwd entry to see if it worked. It did, but then I couldn't ssh in as that user: build@wx64lg /etc $ cat /etc/passwd lgiambro:*:4278246287:9:,S-1-22-1-56207:: build@wx64lg /etc $ cat /etc/group releng:S-1-22-2-999:4278191079: lgiambro@ubuntu ~/perforce/dev/latest/build/tools $ ssh -o PubkeyAuthentication=no wx64lg lgiambro@wx64lg's password: Connection to wx64lg closed by remote host. Connection to wx64lg closed. The other, better way not restricted to Cygwin is to install Samba's winbind. We are running winbind. It just doesn't help for existing UNIX accounts, afaics. I don't know how winbind works. If it doesn't work with existing UNIX accounts, then when _would_ it have an effect? Corinna -- -Len -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: gid doesn't display correctly on SAMBA share using AD
On Feb 25 12:55, Len Giambrone wrote: > On 02/25/2015 12:34 PM, Corinna Vinschen wrote: > >On Feb 25 12:26, Len Giambrone wrote: > >>$ ls -la foo > >>-rw-rw-r-- 1 Unix_User+build Unix_Group+releng 0 Feb 25 10:52 foo > >> > >>Is that expected? (The Unix_User+/Unix_Group+ prefix). > >Yes, that's expected. After all, they are users different from your > >Windows account, see the SIDs. > > That's what I thought. > > > If you don't want the prefix, you can > >still override this by manually dropping the prefixes, along the lines > >of what you could already do in the former implementation. Should be a > >last resort, of course. > > I actually tried that; I removed the Unix_User/Group+ prefix from the passwd > entry to see if it worked. > It did, but then I couldn't ssh in as that user: > > build@wx64lg /etc > $ cat /etc/passwd > lgiambro:*:4278246287:9:,S-1-22-1-56207:: > > build@wx64lg /etc > $ cat /etc/group > releng:S-1-22-2-999:4278191079: Oh, wait. That's not good. If you do that you must create *two* entries in /etc/passwd and /etc/group with the same account names, one of them being the Windows account, the other being the UNIX account. The order is important, too. The Windows account must preceed the UNIX account, kind of like this: $ mkpasswd -b -c -l my-unix-machine -U corinna corinna:*:1049577:1049701:U-VINSCHEN\corinna,S-1-5-21-2913048732-1697188782-3448811101-1001:/home/corinna:/bin/tcsh Unix_User+corinna:*:4278190580:9:,S-1-22-1-500:: Then remove the Unix_User prefix. It's a bit fragile, that's why other solutions are better, imho. > > The other, better way not restricted to Cygwin > >is to install Samba's winbind. > > We are running winbind. > > > It just doesn't help for existing UNIX > >accounts, afaics. > > I don't know how winbind works. If it doesn't work with existing UNIX > accounts, then when _would_ it have an effect? I don't know exactly how winbind works either. AFAIK it gets a range of UNIX uid/gids, e.g 10-20, and then it translates any incoming Windows SID into a Unix uid/gid in that range. These users are handled by winbind, but not any other, already existing users like "root" or, fwiw, any uid/gid outside the range it maintains. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat pgppEWuQway0i.pgp Description: PGP signature
Re: gid doesn't display correctly on SAMBA share using AD
Greetings, Len Giambrone! >>The other, better way not restricted to Cygwin >> is to install Samba's winbind. > We are running winbind. >>It just doesn't help for existing UNIX >> accounts, afaics. >> > I don't know how winbind works. If it doesn't work with existing UNIX > accounts, then when _would_ it have an effect? The mapping should be set up in winbind to match SID's to UID/GID's. Just "running winbind" isn't enough. -- WBR, Andrey Repin (anrdae...@yandex.ru) 26.02.2015, <00:49> Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
