Mild amazement (questions) about the output of mkpasswd (1.7.33). Corinna?

Mild amazement (questions) about the output of mkpasswd (1.7.33). Corinna?

[Houder]

Hi Corinna,

As adviced by you, I replaced the "cygwin package" with the test version (1.7.33) on my "Cygwin-32" ...

Let us assume, I am NOT interested in "Windows domains" etc. and that I would like to keep my "own" mapping
between SIDs and uids/gids ...  it appears to me, that both mkpasswd and mkgroup are no longer of any help to
me, as both appear to apply "some fixed (automatic) mapping" between SIDs and uids/gids ... Right?

Initially I left the passwd, group and nsswitch.conf untouched ... (as noted, I am NOT connected to a domain,
and I have never been troubled by the slowness as result of the passwd/group files - small files).

As the output of mkpasswd (and perhaps the "whole" changover in 1.7.33) left me with a question (questions?),
I subsequently removed the aformentioned files ...

Questions:

 - why does 'mkpasswd -l Seven -u Henri' report differently from 'mkpasswd -l -u Henri'?
    - uid: 4244636648 vs 197608 ...
 - why does MACHINE show up as a prefix to LOCAL USER in 'mkpasswd -L Seven -u Henri', but NOT
   in 'mkpasswd -L -u Henri'?
    - name: Seven+Henri vs Henri ...
    - manual says: -L, generate username WITH machine prefix ...

Just trying to make sense of it all ...

Henri

@@ uname -a
CYGWIN_NT-6.1-WOW64 Seven 1.7.33(0.279/5/3) 2014-10-27 22:21 i686 Cygwin
@@ id
uid=197608(Henri) gid=197121(None)
groups=197121(None),197615(HelpLibraryUpdaters),545(Users),4(INTERACTIVE),66049(CONSOLE LOGON),11(Authenticated
Users),15(This Organization),113(Local account),4095(CurrentSession),66048(LOCAL),262154(NTLM
Authentication),401408(Medium Mandatory Level)
  # more "info" than I would like to see (yes, I know you think differently ...)

@@ # Seven is a "stand-alone" machine ...
@@ # passwd, group, nsswitch.conf have been removed ... for now

@@ mkpasswd -l -u Henri
Henri:*:197608:197121:U-Seven\Henri,S-1-5-21-91509220-1575020443-2714799223-1000:/home/Henri:/bin/bash
  # 197608 - 1000 = 196608 (= 0x30000 ... Oh, the result of the 'fixed' mapping of S-1-5-21-X-Y-Z-RID)

@@ mkpasswd -L -u Henri  # A
Henri:*:197608:197121:U-Seven\Henri,S-1-5-21-91509220-1575020443-2714799223-1000:/home/Henri:/bin/bash
  # where is the machine prefix (= Seven) before the local user name (= Henri)?

@@ mkpasswd -l Seven -u Henri
Henri:unused:4244636648:4244636161:U-Seven\Henri,S-1-5-21-91509220-1575020443-2714799223-1000:/home/Henri:/bin/bash
  # 4244636648 - 1000 = 4244635648 (= 0xfd000000 ... huh? I did NOT encounter that number in the documentation)

@@ mkpasswd -L Seven -u Henri
Seven+Henri:unused:4244636648:4244636161:U-Seven\Henri,S-1-5-21-91509220-1575020443-2714799223-1000:/home/Henri:/bin/bash
  # ... NOW the local user name is shown with the "machine prefix" (= Seven) ... why not in case of A?)

@@ mkpasswd -l foo -u Henri
mkpasswd (273): [1722] The RPC server is unavailable
  # test only: apparently, Seven is recognized as a "machine name"

=====


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Mild amazement (questions) about the output of mkpasswd (1.7.33). Corinna?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 3021 bytes --]

On Oct 28 13:50, Houder wrote:
> Hi Corinna,
> 
> As adviced by you, I replaced the "cygwin package" with the test
> version (1.7.33) on my "Cygwin-32" ...
> 
> Let us assume, I am NOT interested in "Windows domains" etc. and that
> I would like to keep my "own" mapping between SIDs and uids/gids ...
> it appears to me, that both mkpasswd and mkgroup are no longer of any
> help to me, as both appear to apply "some fixed (automatic) mapping"
> between SIDs and uids/gids ... Right?

Not quite.  Did you read the preliminary documentation?  You don't have
to use mkpasswd or mkgroup at all, and you don't need the /etc/passwd
and /etc/group files.  The new feature is NOT only for AD machines,
it works for local machines as well, and even if your files were small,
you might still see a performance gain.

Please give https://cygwin.com/preliminary-ug/ntsec.html a try.  I really
hope it's worht to read it because it explains the feature thoroughly.

Other than that, yes, you can still create your own mappings by
utilizing the passwd and group files.

> Initially I left the passwd, group and nsswitch.conf untouched ... (as
> noted, I am NOT connected to a domain, and I have never been troubled
> by the slowness as result of the passwd/group files - small files).
> 
> As the output of mkpasswd (and perhaps the "whole" changover in
> 1.7.33) left me with a question (questions?), I subsequently removed
> the aformentioned files ...
> 
> Questions:
> 
>  - why does 'mkpasswd -l Seven -u Henri' report differently from
>  'mkpasswd -l -u Henri'?
>     - uid: 4244636648 vs 197608 ...

The underlying algorithm treats the machine name given as parameter
to -l or -L as a foreign machine in the network and tries to contact
it.  As a foreign machine, the created uid and gid values are different
from the ones for the local machine.  Don't use -l Seven, just use -l
for the local machine.

>  - why does MACHINE show up as a prefix to LOCAL USER in 'mkpasswd -L
>  Seven -u Henri', but NOT
>    in 'mkpasswd -L -u Henri'?

The -L option is only meant to be used for foreign machines.  The
prefixing of the local machine is bound to the underlying mechanism used
in Cygwin per the docs.  On second thought, a -L without machine name
should have been refused by mkpasswd.

>     - name: Seven+Henri vs Henri ...
>     - manual says: -L, generate username WITH machine prefix ...
> 
> Just trying to make sense of it all ...

Yeah, I freely admit that the usage of mkpasswd/mkgroup isn't quite as
evident anymore.  The idea is that the underlying "db" mechanism fixes
the rules.  I'm really not sure yet if and how mkpasswd/mkgroup needs
more change, that's what this testing phase is supposed to show.  Keep
in mind that the new account handling is just as new for me as it is for
you :)


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: Mild amazement (questions) about the output of mkpasswd (1.7.33). Corinna?

[Houder]

> On Oct 28 13:50, Houder wrote:
>> Hi Corinna,
>>
>> As adviced by you, I replaced the "cygwin package" with the test
>> version (1.7.33) on my "Cygwin-32" ...
>>
>> Let us assume, I am NOT interested in "Windows domains" etc. and that
>> I would like to keep my "own" mapping between SIDs and uids/gids ...
>> it appears to me, that both mkpasswd and mkgroup are no longer of any
>> help to me, as both appear to apply "some fixed (automatic) mapping"
>> between SIDs and uids/gids ... Right?
>
> Not quite.  Did you read the preliminary documentation?  You don't have
> to use mkpasswd or mkgroup at all, and you don't need the /etc/passwd
> and /etc/group files.  The new feature is NOT only for AD machines,
> it works for local machines as well, and even if your files were small,
> you might still see a performance gain.
>
> Please give https://cygwin.com/preliminary-ug/ntsec.html a try.  I really
> hope it's worht to read it because it explains the feature thoroughly.

:-)) Do you _really_ believe I did not study your text? Yes, I did ... and
not for the first time.

Keep in mind, please: Windows is not exactly 'my cup of tea' :-)

> Other than that, yes, you can still create your own mappings by
> utilizing the passwd and group files.

Wonderful ... I have grown accustomed to my old mapping (RID -> uid/gid).

>> Initially I left the passwd, group and nsswitch.conf untouched ... (as
>> noted, I am NOT connected to a domain, and I have never been troubled
>> by the slowness as result of the passwd/group files - small files).
>>
>> As the output of mkpasswd (and perhaps the "whole" changover in
>> 1.7.33) left me with a question (questions?), I subsequently removed
>> the aformentioned files ...
>>
>> Questions:
>>
>>  - why does 'mkpasswd -l Seven -u Henri' report differently from
>>  'mkpasswd -l -u Henri'?
>>     - uid: 4244636648 vs 197608 ...
>
> The underlying algorithm treats the machine name given as parameter
> to -l or -L as a foreign machine in the network and tries to contact
> it.  As a foreign machine, the created uid and gid values are different
> from the ones for the local machine.  Don't use -l Seven, just use -l
> for the local machine.

Oh, dear, it does not recognize its own name ... Poor soul. Yes, I had
already gathered that much ...

>>  - why does MACHINE show up as a prefix to LOCAL USER in 'mkpasswd -L
>>  Seven -u Henri', but NOT
>>    in 'mkpasswd -L -u Henri'?
>
> The -L option is only meant to be used for foreign machines.  The
> prefixing of the local machine is bound to the underlying mechanism used
> in Cygwin per the docs.  On second thought, a -L without machine name
> should have been refused by mkpasswd.
>
>>     - name: Seven+Henri vs Henri ...
>>     - manual says: -L, generate username WITH machine prefix ...

Understood, use mkpasswd and mkgroup with some "imagination" (until all
option processing has been thoroughly tested and repaired).

>> Just trying to make sense of it all ...
>
> Yeah, I freely admit that the usage of mkpasswd/mkgroup isn't quite as
> evident anymore.  The idea is that the underlying "db" mechanism fixes
> the rules.  I'm really not sure yet if and how mkpasswd/mkgroup needs
> more change, that's what this testing phase is supposed to show.  Keep
> in mind that the new account handling is just as new for me as it is for
> you :)

... uhm, not quite, I believe ... you are bathing in the dazzling light of
understanding ... I am just groping for a ray of that light ;-)

Once more, thank you for clarifying!

Henri

=====


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple