Re: Problems with mkpasswd and mkgroup

[Corinna Vinschen <corinna-cygwin@cygwin.com>]

On Oct 17 10:24, KÃ¥re Edvardsen wrote:
> On fr., 2011-10-14 at 10:29 +0200, Corinna Vinschen wrote:
> > On Oct 14 07:39, Edvardsen KÃ¥re wrote:
> > > 
> > > > What is the contents of the "/etc/password" and "/etc/group" files
> > > > after you run the "mkpasswd/mkgroup" commands (as administrator)?
> > > 
> > > > What user can log in, but isn't in the password file?
> > > 
> > > > Is that user local or a domain user?
> > > 
> > > The Windows account name with FULL admin privileges is "servicekonto" and cygwin was installed from this account which is locally on this client and NOT a domain user.
> > > "kae026" is the user who can log in, but isn't in the password file. 
> > > "kae026" is a domain user.
> > > 
> > > As admnistrator:
> > > 
> > > $ mkpasswd -l -d > /etc/passwd
> > > mkpasswd (427): [5] Access is denied.
> > > [...]
> > > $ mkgroup -l -d > /etc/group
> > > mkgroup (369): [5] Access is denied.
> > 
> > That's kind of clue, isn't it?  You local administrator account
> > doesn't have the permissions to enumerate the accounts in AD.
> > Add the machine to the domain if you haven't done so already,
> > log in with a domain account and call `mkpasswd -d >> /etc/passwd'
> > and `mkgroup -d >> /etc/group'.  Note that, depending on the
> > security settings of your AD, not all domain users might have
> > the permissions to enumerate domain accounts.  If you login
> > with a domain admin account, you should have no problem, though.
> > 
> > 
> > Corinna
> > 
> 
> What does it mean to enumerate an account in AD? (or what happens?)

Calling the NetUserEnum/NetGroupEnum functions with the AD DC as the
first parameter.  See
http://msdn.microsoft.com/en-us/library/aa370652%28VS.85%29.aspx
http://msdn.microsoft.com/en-us/library/aa370428%28VS.85%29.aspx
In both cases, see the "Remarks" section.

> I guess it's a bad circle if my local admin account doesn't have the
> permissions to enumerate the accounts in AD , and my domain account
> doesn't have the permissions to install cygwin on the machine...if I
> understand this right?

That's why I said "login with a domain admin account", that avoids
the problems.  Also, there's no reason to believe that your normal
domain account has no permissions to enumerate AD accounts.  The
default settings on Windows are so that all authenticated domain
users have the right to enumerate AD accounts.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple