Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
Greetings, Bill Stewart! > On Fri, Feb 15, 2019 at 3:48 PM Bill Stewart wrote: >> This means that when I test getent using the name "Admin", Cygwin >> finds the domain group: >> >> PS C:\> getent -w passwd admin >> admin::DOMAINNAME\admin:S-1-5-21-nn-n-n-nn >> >> I get that this is by design, but .NET finds the local account first, >> which is what I was expecting: >> >> PS C:\> $name = [Security.Principal.NTAccount] "admin" >> PS C:\> $sid = $name.Translate([Security.Principal.SecurityIdentifier]) >> PS C:\> $sid.Translate([Security.Principal.NTAccount]) >> >> Value >> - >> COMPUTERNAME\Admin > So then - just to follow up - Cygwin is for sure going to stick with > "domain first" when resolving an account name that doesn't include an > authority. No. > (a) Is this correct? No. > (b) Is there a particular reason this order was chosen (instead of > local first, then domain, i.e., the usual Windows order)? No. -- With best regards, Andrey Repin Tuesday, February 19, 2019 20:11:34 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On Tue, Feb 19, 2019 at 8:47 AM Bill Stewart wrote: > (a) Is this correct? > > (b) Is there a particular reason this order was chosen (instead of > local first, then domain, i.e., the usual Windows order)? Please disregard. I forgot the reason was to have the same behavior as the Windows logon screen, which (although different from the API order) is sensible. Regards, Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On Fri, Feb 15, 2019 at 3:48 PM Bill Stewart wrote: > This means that when I test getent using the name "Admin", Cygwin > finds the domain group: > > PS C:\> getent -w passwd admin > admin::DOMAINNAME\admin:S-1-5-21-nn-n-n-nn > > I get that this is by design, but .NET finds the local account first, > which is what I was expecting: > > PS C:\> $name = [Security.Principal.NTAccount] "admin" > PS C:\> $sid = $name.Translate([Security.Principal.SecurityIdentifier]) > PS C:\> $sid.Translate([Security.Principal.NTAccount]) > > Value > - > COMPUTERNAME\Admin So then - just to follow up - Cygwin is for sure going to stick with "domain first" when resolving an account name that doesn't include an authority. (a) Is this correct? (b) Is there a particular reason this order was chosen (instead of local first, then domain, i.e., the usual Windows order)? Thanks, Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On Feb 16 18:40, Corinna Vinschen wrote: > On Feb 16 09:15, Brian Inglis wrote: > > On 2019-02-16 08:33, Corinna Vinschen wrote: > > > On Feb 16 08:09, Brian Inglis wrote: > > >> On 2019-02-16 02:45, Corinna Vinschen wrote: > > >>> On Feb 15 14:51, Bill Stewart wrote: > > On Fri, Feb 15, 2019 at 2:38 PM Brian Inglis wrote: > > > Windows normally allows "." to be used to refer to the local machine > > > name in a > > > domain context - can anyone confirm or deny whether this works in > > > Cygwin or with > > > getent? > > AFAICT, the "." shortcut does not work in Cygwin. > > >>> The combining operator for domain prepended usernames is '+'. This > > >>> is the same character as used by good old Interix for the same purpose. > > >> That was not in question - the question was could .+$USER be used in > > >> lieu of > > >> $COMPUTERNAME+$USER or $HOSTNAME+$USER and should $COMPUTERNAME rather > > >> than > > >> $HOSTNAME be used in such contexts? > > > Yeah, I misunderstood this, sorry. The answer is no. The username is > > > fixed. Otherwise you'd have two auto-generated passwd entries for the > > > same user which may lead to confusion (not necessarily confusion on the > > > user side...) > > > If this is a desired feature, we could try this, but it might break > > > existing setups again. > > > > As with .\$USER in Windows or with ~ for $HOME, this should only be a > > convenience to allow input or scripts to avoid providing > > $COMPUTERNAME/$HOSTNAME > > in userid command line argument contexts. > > I added this to Cygwin for testing so you can simply use ".+username" as > a shortcut for "$COMPUTERNAME+username". > > I uploaded snapshots to https://cygwin.com/snapshots for playing. After some mulling, this is a bad idea. It potentially allows to circumvent OpenSSHs user/group name matching again, unless the Admin knows to add every local user twice, e.g. Match user MACHINE+user,.+user or use patterns: Match user *+user I'll revert the patch again. Corinna -- Corinna Vinschen Cygwin Maintainer signature.asc Description: PGP signature
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On Feb 16 09:15, Brian Inglis wrote: > On 2019-02-16 08:33, Corinna Vinschen wrote: > > On Feb 16 08:09, Brian Inglis wrote: > >> On 2019-02-16 02:45, Corinna Vinschen wrote: > >>> On Feb 15 14:51, Bill Stewart wrote: > On Fri, Feb 15, 2019 at 2:38 PM Brian Inglis wrote: > > Windows normally allows "." to be used to refer to the local machine > > name in a > > domain context - can anyone confirm or deny whether this works in > > Cygwin or with > > getent? > AFAICT, the "." shortcut does not work in Cygwin. > >>> The combining operator for domain prepended usernames is '+'. This > >>> is the same character as used by good old Interix for the same purpose. > >> That was not in question - the question was could .+$USER be used in lieu > >> of > >> $COMPUTERNAME+$USER or $HOSTNAME+$USER and should $COMPUTERNAME rather than > >> $HOSTNAME be used in such contexts? > > Yeah, I misunderstood this, sorry. The answer is no. The username is > > fixed. Otherwise you'd have two auto-generated passwd entries for the > > same user which may lead to confusion (not necessarily confusion on the > > user side...) > > If this is a desired feature, we could try this, but it might break > > existing setups again. > > As with .\$USER in Windows or with ~ for $HOME, this should only be a > convenience to allow input or scripts to avoid providing > $COMPUTERNAME/$HOSTNAME > in userid command line argument contexts. I added this to Cygwin for testing so you can simply use ".+username" as a shortcut for "$COMPUTERNAME+username". I uploaded snapshots to https://cygwin.com/snapshots for playing. Corinna -- Corinna Vinschen Cygwin Maintainer signature.asc Description: PGP signature
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On 2019-02-16 08:33, Corinna Vinschen wrote: > On Feb 16 08:09, Brian Inglis wrote: >> On 2019-02-16 02:45, Corinna Vinschen wrote: >>> On Feb 15 14:51, Bill Stewart wrote: On Fri, Feb 15, 2019 at 2:38 PM Brian Inglis wrote: > Windows normally allows "." to be used to refer to the local machine name > in a > domain context - can anyone confirm or deny whether this works in Cygwin > or with > getent? AFAICT, the "." shortcut does not work in Cygwin. >>> The combining operator for domain prepended usernames is '+'. This >>> is the same character as used by good old Interix for the same purpose. >> That was not in question - the question was could .+$USER be used in lieu of >> $COMPUTERNAME+$USER or $HOSTNAME+$USER and should $COMPUTERNAME rather than >> $HOSTNAME be used in such contexts? > Yeah, I misunderstood this, sorry. The answer is no. The username is > fixed. Otherwise you'd have two auto-generated passwd entries for the > same user which may lead to confusion (not necessarily confusion on the > user side...) > If this is a desired feature, we could try this, but it might break > existing setups again. As with .\$USER in Windows or with ~ for $HOME, this should only be a convenience to allow input or scripts to avoid providing $COMPUTERNAME/$HOSTNAME in userid command line argument contexts. Should whether $COMPUTERNAME/$HOSTNAME be output as . in userid contexts be left to each app? -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On Feb 16 08:09, Brian Inglis wrote: > On 2019-02-16 02:45, Corinna Vinschen wrote: > > On Feb 15 14:51, Bill Stewart wrote: > >> On Fri, Feb 15, 2019 at 2:38 PM Brian Ingliswrote: > >> > >>> Windows normally allows "." to be used to refer to the local machine name > >>> in a > >>> domain context - can anyone confirm or deny whether this works in Cygwin > >>> or with > >>> getent? > >> > >> AFAICT, the "." shortcut does not work in Cygwin. > > > > The combining operator for domain prepended usernames is '+'. This > > is the same character as used by good old Interix for the same purpose. > > That was not in question - the question was could .+$USER be used in lieu of > $COMPUTERNAME+$USER or $HOSTNAME+$USER and should $COMPUTERNAME rather than > $HOSTNAME be used in such contexts? Yeah, I misunderstood this, sorry. The answer is no. The username is fixed. Otherwise you'd have two auto-generated passwd entries for the same user which may lead to confusion (not necessarily confusion on the user side...) If this is a desired feature, we could try this, but it might break existing setups again. Corinna -- Corinna Vinschen Cygwin Maintainer signature.asc Description: PGP signature
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On 2019-02-16 02:45, Corinna Vinschen wrote: > On Feb 15 14:51, Bill Stewart wrote: >> On Fri, Feb 15, 2019 at 2:38 PM Brian Ingliswrote: >> >>> Windows normally allows "." to be used to refer to the local machine name >>> in a >>> domain context - can anyone confirm or deny whether this works in Cygwin or >>> with >>> getent? >> >> AFAICT, the "." shortcut does not work in Cygwin. > > The combining operator for domain prepended usernames is '+'. This > is the same character as used by good old Interix for the same purpose. That was not in question - the question was could .+$USER be used in lieu of $COMPUTERNAME+$USER or $HOSTNAME+$USER and should $COMPUTERNAME rather than $HOSTNAME be used in such contexts? -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On Feb 15 14:51, Bill Stewart wrote: > On Fri, Feb 15, 2019 at 2:38 PM Brian Ingliswrote: > > > Windows normally allows "." to be used to refer to the local machine name > > in a > > domain context - can anyone confirm or deny whether this works in Cygwin or > > with > > getent? > > AFAICT, the "." shortcut does not work in Cygwin. The combining operator for domain prepended usernames is '+'. This is the same character as used by good old Interix for the same purpose. Corinna -- Corinna Vinschen Cygwin Maintainer signature.asc Description: PGP signature
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
Greetings, Bill Stewart! >> What is a "typical" order?!? >> >> If you login locally to a domain member machine the default domain is >> the logon domain of this machine. If that's not what you want you have >> to choose the logon domain of your account explicitely, even if it's the >> local machine SAM. Windows will not try to find the user name locally >> if you didn't chose it explicitely. You get "The user name or password >> is incorrect. Try again" instead. >> >> The only exception I'm aware of is the "Administrator" account, at least >> in Windows 10. > Here's a real-world scenario you might not have considered... What is your nsswitch configuration, yet again?… > I have a local account named "Admin" on my computer I use for > administrative tasks. > My computer is a member of a medium-side domain (about 25000 users), > and at some point in the past an admin created a group named "Admin" > that I didn't even know existed. > This means that when I test getent using the name "Admin", Cygwin > finds the domain group: > PS C:\> getent -w passwd admin > admin::DOMAINNAME\admin:S-1-5-21-nn-n-n-nn > I get that this is by design, but .NET finds the local account first, > which is what I was expecting: > PS C:\> $name = [Security.Principal.NTAccount] "admin" > PS C:\> $sid = $name.Translate([Security.Principal.SecurityIdentifier]) > PS C:\> $sid.Translate([Security.Principal.NTAccount]) > Value > - > COMPUTERNAME\Admin > Hence the question. > Regards, > Bill > -- > Problem reports: http://cygwin.com/problems.html > FAQ: http://cygwin.com/faq/ > Documentation: http://cygwin.com/docs.html > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple -- With best regards, Andrey Repin Saturday, February 16, 2019 3:56:41 Sorry for my terrible english...
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On Fri, Feb 15, 2019 at 2:32 PM Corinna Vinschen wrote: > What is a "typical" order?!? > > If you login locally to a domain member machine the default domain is > the logon domain of this machine. If that's not what you want you have > to choose the logon domain of your account explicitely, even if it's the > local machine SAM. Windows will not try to find the user name locally > if you didn't chose it explicitely. You get "The user name or password > is incorrect. Try again" instead. > > The only exception I'm aware of is the "Administrator" account, at least > in Windows 10. Here's a real-world scenario you might not have considered... I have a local account named "Admin" on my computer I use for administrative tasks. My computer is a member of a medium-side domain (about 25000 users), and at some point in the past an admin created a group named "Admin" that I didn't even know existed. This means that when I test getent using the name "Admin", Cygwin finds the domain group: PS C:\> getent -w passwd admin admin::DOMAINNAME\admin:S-1-5-21-nn-n-n-nn I get that this is by design, but .NET finds the local account first, which is what I was expecting: PS C:\> $name = [Security.Principal.NTAccount] "admin" PS C:\> $sid = $name.Translate([Security.Principal.SecurityIdentifier]) PS C:\> $sid.Translate([Security.Principal.NTAccount]) Value - COMPUTERNAME\Admin Hence the question. Regards, Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On Fri, Feb 15, 2019 at 2:38 PM Brian Ingliswrote: > Windows normally allows "." to be used to refer to the local machine name in a > domain context - can anyone confirm or deny whether this works in Cygwin or > with > getent? AFAICT, the "." shortcut does not work in Cygwin. Regards, Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On Fri, Feb 15, 2019 at 2:32 PM Corinna Vinschen wrote: > > The section that starts with "Let's discuss the SID<=>uid/gid mapping > > first. Here's how it works." states this order: > > It doesn't state an order. It describes the mapping from SID to > uid/gid, and there's *no* order at all to it, just a description how > certain SIDs are mapped to certain uid/gid values given numerical > recipies. Right, I assumed that it was an order. I see I was misunderstanding this. > If you login locally to a domain member machine the default domain is > the logon domain of this machine. If that's not what you want you have > to choose the logon domain of your account explicitely, even if it's the > local machine SAM. Windows will not try to find the user name locally > if you didn't chose it explicitely. You get "The user name or password > is incorrect. Try again" instead. If you are talking about logging on at a Windows machine, that's true. But IIRC this isn't what the APIs do (at least the .NET ones): If you specify a username without an authority, the APIs search the local account database first. Regards, Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On 2019-02-15 13:59, Bill Stewart wrote: > On Fri, Feb 15, 2019 at 1:43 PM Corinna Vinschen wrote: >> More specific as the original text? I'm hard pressed to accomplish >> that. Take note of the "domain member machine" property. > I think I see the problem. The list I posted (above the one you are > apparently referring to) has the search in a different order. > The section that starts with "Let's discuss the SID<=>uid/gid mapping > first. Here's how it works." states this order: > * Well-known SIDs in the NT_AUTHORITY domain of the S-1-5-RID type > * Other well-known SIDs in the NT_AUTHORITY domain (S-1-5-X-RID) > * Other well-known SIDs > * Logon SIDs > * Accounts from the local machine's user DB (SAM) > * Accounts from the machine's primary domain > * Accounts from a trusted domain of the machine's primary domain > In this list, local machine accounts are listed before domain accounts. > Underneath that, there's a second section with examples that starts > with "Now we have a semi-bijective mapping..." that has this order: > * Well-known and builtin accounts will be named as in Windows: > "SYSTEM", "LOCAL", "Medium Mandatory Level", ... > * If the machine is not a domain member machine, only local accounts > can be resolved into names, so for ease of use, just the account names > are used as Cygwin user/group names: > "corinna", "bigfoot", "None", ... > * If the machine is a domain member machine, all accounts from the > primary domain of the machine are mapped to Cygwin names without > domain prefix: > "corinna", "bigfoot", "Domain Users", ... > while accounts from other domains are prepended by their domain: > "DOMAIN1+corinna", "DOMAIN2+bigfoot", "DOMAIN3+Domain Users", ... > * Local machine accounts of a domain member machine get a Cygwin user > name the same way as accounts from another domain: The local machine > name gets prepended: > "MYMACHINE+corinna", "MYMACHINE+bigfoot", "MYMACHINE+None", ... > * If LookupAccountSid fails, Cygwin checks the accounts against the > known trusted domains. If the account is from one of the trusted > domains, an artificial account name is created. It consists of the > domain name, and a special name created from the account RID: > In the second list, it says domains are first before the local machine. > I was assuming the first section is an orderly sequence of searching, > since that's usually how Windows works. > The second section with the examples seems to be a different order, > and would seems to be the order Cygwin actually uses. > I was just wondering if that's by design or by accident, since it's > different from the typical order. What it says is that an unprefixed name in a domain defaults to the name as if prefixed by the primary domain, so if you want the local SAM entry on a domain machine ($USERDOMAIN != $COMPUTERNAME), you must prefix the name with the local machine name followed by "+". Should the local machine name provided be $COMPUTERNAME or $HOSTNAME? Windows normally allows "." to be used to refer to the local machine name in a domain context - can anyone confirm or deny whether this works in Cygwin or with getent? -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On Feb 15 13:59, Bill Stewart wrote: > On Fri, Feb 15, 2019 at 1:43 PM Corinna Vinschen wrote: > I think I see the problem. The list I posted (above the one you are > apparently referring to) has the search in a different order. I'm not only "apparently referring" to that list, I pasted it verbatim in my reply to you :) > The section that starts with "Let's discuss the SID<=>uid/gid mapping > first. Here's how it works." states this order: It doesn't state an order. It describes the mapping from SID to uid/gid, and there's *no* order at all to it, just a description how certain SIDs are mapped to certain uid/gid values given numerical recipies. > I was assuming the first section is an orderly sequence of searching, > since that's usually how Windows works. Windows usually maps SIDs to uid/gid values? > The second section with the examples seems to be a different order, > and would seems to be the order Cygwin actually uses. Both sections have examples. > I was just wondering if that's by design or by accident, since it's > different from the typical order. What is a "typical" order?!? If you login locally to a domain member machine the default domain is the logon domain of this machine. If that's not what you want you have to choose the logon domain of your account explicitely, even if it's the local machine SAM. Windows will not try to find the user name locally if you didn't chose it explicitely. You get "The user name or password is incorrect. Try again" instead. The only exception I'm aware of is the "Administrator" account, at least in Windows 10. Corinna -- Corinna Vinschen Cygwin Maintainer signature.asc Description: PGP signature
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On Fri, Feb 15, 2019 at 1:43 PM Corinna Vinschen wrote: > More specific as the original text? I'm hard pressed to accomplish > that. Take note of the "domain member machine" property. I think I see the problem. The list I posted (above the one you are apparently referring to) has the search in a different order. The section that starts with "Let's discuss the SID<=>uid/gid mapping first. Here's how it works." states this order: _ * Well-known SIDs in the NT_AUTHORITY domain of the S-1-5-RID type * Other well-known SIDs in the NT_AUTHORITY domain (S-1-5-X-RID) * Other well-known SIDs * Logon SIDs * Accounts from the local machine's user DB (SAM) * Accounts from the machine's primary domain * Accounts from a trusted domain of the machine's primary domain _ In this list, local machine accounts are listed before domain accounts. Underneath that, there's a second section with examples that starts with "Now we have a semi-bijective mapping..." that has this order: _ * Well-known and builtin accounts will be named as in Windows: "SYSTEM", "LOCAL", "Medium Mandatory Level", ... * If the machine is not a domain member machine, only local accounts can be resolved into names, so for ease of use, just the account names are used as Cygwin user/group names: "corinna", "bigfoot", "None", ... * If the machine is a domain member machine, all accounts from the primary domain of the machine are mapped to Cygwin names without domain prefix: "corinna", "bigfoot", "Domain Users", ... while accounts from other domains are prepended by their domain: "DOMAIN1+corinna", "DOMAIN2+bigfoot", "DOMAIN3+Domain Users", ... * Local machine accounts of a domain member machine get a Cygwin user name the same way as accounts from another domain: The local machine name gets prepended: "MYMACHINE+corinna", "MYMACHINE+bigfoot", "MYMACHINE+None", ... * If LookupAccountSid fails, Cygwin checks the accounts against the known trusted domains. If the account is from one of the trusted domains, an artificial account name is created. It consists of the domain name, and a special name created from the account RID: _ In the second list, it says domains are first before the local machine. I was assuming the first section is an orderly sequence of searching, since that's usually how Windows works. The second section with the examples seems to be a different order, and would seems to be the order Cygwin actually uses. I was just wondering if that's by design or by accident, since it's different from the typical order. Regards, Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
Greetings, Bill Stewart! > On Fri, Feb 15, 2019 at 9:38 AM Corinna Vinschen wrote: >> There's a documented ruleset which is strictly followed >> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-how: > From that reference, we have the following order: [...crap skipped...] > What am I missing? You're missing https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch Third time now. -- With best regards, Andrey Repin Friday, February 15, 2019 23:34:24 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On Feb 15 13:36, Bill Stewart wrote: > On Fri, Feb 15, 2019 at 1:29 PM Corinna Vinschen wrote: > > > you didn't really read it. Try again. > > Can you be more specific? More specific as the original text? I'm hard pressed to accomplish that. Take note of the "domain member machine" property. Corinna -- Corinna Vinschen Cygwin Maintainer signature.asc Description: PGP signature
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On Fri, Feb 15, 2019 at 1:29 PM Corinna Vinschen wrote: > you didn't really read it. Try again. Can you be more specific? Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On Feb 15 12:14, Bill Stewart wrote: > On Fri, Feb 15, 2019 at 9:38 AM Corinna Vinschen wrote: > > > There's a documented ruleset which is strictly followed > > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-how: > > >From that reference, we have the following order: > > * Well-known SIDs in the NT_AUTHORITY domain of the S-1-5-RID type > > * Other well-known SIDs in the NT_AUTHORITY domain (S-1-5-X-RID) > > * Other well-known SIDs > > * Logon SIDs > > * Accounts from the local machine's user DB (SAM) > > * Accounts from the machine's primary domain > > * Accounts from a trusted domain of the machine's primary domain > > This listing suggests to me that ... you didn't really read it. Try again. Corinna -- Corinna Vinschen Cygwin Maintainer signature.asc Description: PGP signature
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On Fri, Feb 15, 2019 at 9:38 AM Corinna Vinschen wrote: > There's a documented ruleset which is strictly followed > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-how: >From that reference, we have the following order: * Well-known SIDs in the NT_AUTHORITY domain of the S-1-5-RID type * Other well-known SIDs in the NT_AUTHORITY domain (S-1-5-X-RID) * Other well-known SIDs * Logon SIDs * Accounts from the local machine's user DB (SAM) * Accounts from the machine's primary domain * Accounts from a trusted domain of the machine's primary domain This listing suggests to me that local accounts would be returned before domain accounts. This is sensible because you wouldn't want to search the domain before searching the local machine first (performance). So the scenario I am talking about is there is testuser in local SAM, and testuser in computer's domain. 'getend passwd testuser' returns the domain account. Based on the above, I was expecting the local account to be returned first. What am I missing? Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On Feb 15 08:34, Bill Stewart wrote: > On Fri, Feb 15, 2019 at 2:32 AM Sam Edge (Cygwin) wrote: > > > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-how explains > > in more detail. > > I had already read that, and it seems to indicate that it asks the > local machine first, but that doesn't seem to be happening when > there's a duplication. > > I have a domain-joined machine, and I have a user account named > testuser that exists on the local computer and also in the domain. > > 'getent passwd testuser' returns the domain account, not the local > computer account. > > Hence the question. There's a documented ruleset which is strictly followed https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-how: Well-known and builtin accounts will be named as in Windows: "SYSTEM", "LOCAL", "Medium Mandatory Level", ... If the machine is not a domain member machine, only local accounts can be resolved into names, so for ease of use, just the account names are used as Cygwin user/group names: "corinna", "bigfoot", "None", ... If the machine is a domain member machine, all accounts from the primary domain of the machine are mapped to Cygwin names without domain prefix: "corinna", "bigfoot", "Domain Users", ... while accounts from other domains are prepended by their domain: "DOMAIN1+corinna", "DOMAIN2+bigfoot", "DOMAIN3+Domain Users", ... Local machine accounts of a domain member machine get a Cygwin user name the same way as accounts from another domain: The local machine name gets prepended: "MYMACHINE+corinna", "MYMACHINE+bigfoot", "MYMACHINE+None", ... If LookupAccountSid fails, Cygwin checks the accounts against the known trusted domains. If the account is from one of the trusted domains, an artificial account name is created. It consists of the domain name, and a special name created from the account RID: "MY_DOM+User(1234)", "MY_DOM+Group(5678)" Otherwise we know nothing about this SID, so it will be mapped to the fake accounts Unknown+User/Unknown+Group with uid/gid -1 HTH, Corinna -- Corinna Vinschen Cygwin Maintainer signature.asc Description: PGP signature
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
Greetings, Bill Stewart! > On Fri, Feb 15, 2019 at 2:32 AM Sam Edge (Cygwin) wrote: >> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-how explains >> in more detail. > I had already read that, and it seems to indicate that it asks the > local machine first, but that doesn't seem to be happening when > there's a duplication. Then read it again, it tells you how to change the behavior. > I have a domain-joined machine, and I have a user account named > testuser that exists on the local computer and also in the domain. > 'getent passwd testuser' returns the domain account, not the local > computer account. > Hence the question. -- With best regards, Andrey Repin Friday, February 15, 2019 18:53:22 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On 2019-02-15 08:34, Bill Stewart wrote: > On Fri, Feb 15, 2019 at 2:32 AM Sam Edge wrote: >> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-how explains >> in more detail. > I had already read that, and it seems to indicate that it asks the > local machine first, but that doesn't seem to be happening when > there's a duplication. > I have a domain-joined machine, and I have a user account named > testuser that exists on the local computer and also in the domain. > 'getent passwd testuser' returns the domain account, not the local > computer account. Repost with a bug subject e.g. Domain User Picked Instead of SAM User and cygcheck -rsv > cygcheck.out as a text attachment. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On Fri, Feb 15, 2019 at 2:32 AM Sam Edge (Cygwin) wrote: > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-how explains > in more detail. I had already read that, and it seems to indicate that it asks the local machine first, but that doesn't seem to be happening when there's a duplication. I have a domain-joined machine, and I have a user account named testuser that exists on the local computer and also in the domain. 'getent passwd testuser' returns the domain account, not the local computer account. Hence the question. Regards, Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Windows to Cygwin username mapping: Domain before local account when duplicate name?
On 14/02/2019 23:47, Bill Stewart wrote: > Consider the case where you have a local account and a domain account > with the same username. > > If you supply just the username to Windows without an authority name, > Windows returns the local account. To get the domain account, you'd > have to specify an authority (e.g. domain\username). > > It seems like Cygwin looks up the domain account first. > > Is this correct, or am I missing something? Is this by design? > > Thanks, > > Bill https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-how explains in more detail. -- Sam Edge -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Windows to Cygwin username mapping: Domain before local account when duplicate name?
Consider the case where you have a local account and a domain account with the same username. If you supply just the username to Windows without an authority name, Windows returns the local account. To get the domain account, you'd have to specify an authority (e.g. domain\username). It seems like Cygwin looks up the domain account first. Is this correct, or am I missing something? Is this by design? Thanks, Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
