Problems with mkpasswd and mkgroup

Problems with mkpasswd and mkgroup

[Kåre Edvardsen]

I've installed cygwin "system wide" on a client (W7 32b) from an account
with full Administrators privileges. However, opening a Bash shell (or
xterm) as another user prompts:

     Your group is currently "mkpasswd".  This indicates that your
     gid is not in /etc/group and your uid is not in /etc/passwd
 
     The /etc/passwd (and possibly /etc/group) files should be rebuilt.
     See the man pages for mkpasswd and mkgroup then, for example, run
 
     mkpasswd -l [-d] > /etc/passwd
     mkgroup  -l [-d] > /etc/group
 
     Note that the -d switch is necessary for domain users.

Before asking too many questions I should inform you that the settings
etc. for the various users on the W7 client resides on a separat server.
I've tried various suggestions found in the lists, but with no success.
Obviously, there is a solution to my problem, but I'm struggling to find
the right one.

Do you need more info on my problem? If so, what info is most relevant?

Regards,
KÃ¥re



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Problems with mkpasswd and mkgroup

[Andrey Repin]

Greetings, KГҐre Edvardsen!

> I've installed cygwin "system wide" on a client (W7 32b) from an account
> with full Administrators privileges. However, opening a Bash shell (or
> xterm) as another user prompts:

>      Your group is currently "mkpasswd".  This indicates that your
>      gid is not in /etc/group and your uid is not in /etc/passwd
 
>      The /etc/passwd (and possibly /etc/group) files should be rebuilt.
>      See the man pages for mkpasswd and mkgroup then, for example, run
 
>      mkpasswd -l [-d] > /etc/passwd
>      mkgroup  -l [-d] > /etc/group
 
>      Note that the -d switch is necessary for domain users.

> Before asking too many questions I should inform you that the settings
> etc. for the various users on the W7 client resides on a separat server.
> I've tried various suggestions found in the lists, but with no success.
> Obviously, there is a solution to my problem, but I'm struggling to find
> the right one.

It's in front of your eyes.
Don't you see it?

>      mkpasswd -l [-d] > /etc/passwd
>      mkgroup  -l [-d] > /etc/group


--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 13.10.2011, <17:55>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

RE: Problems with mkpasswd and mkgroup

[Edvardsen Kåre]

Greetings, Kеre Edvardsen!

> I've installed cygwin "system wide" on a client (W7 32b) from an account
> with full Administrators privileges. However, opening a Bash shell (or
> xterm) as another user prompts:

>      Your group is currently "mkpasswd".  This indicates that your
>      gid is not in /etc/group and your uid is not in /etc/passwd

>      The /etc/passwd (and possibly /etc/group) files should be rebuilt.
>      See the man pages for mkpasswd and mkgroup then, for example, run

>      mkpasswd -l [-d] > /etc/passwd
>      mkgroup  -l [-d] > /etc/group

>      Note that the -d switch is necessary for domain users.

> Before asking too many questions I should inform you that the settings
> etc. for the various users on the W7 client resides on a separat server.
> I've tried various suggestions found in the lists, but with no success.
> Obviously, there is a solution to my problem, but I'm struggling to find
> the right one.

It's in front of your eyes.
Don't you see it?

>      mkpasswd -l [-d] > /etc/passwd
>      mkgroup  -l [-d] > /etc/group

I wish it was that simple...

As I said, I've tried various solutions (you'll find several posts around the topic in the list) but non of them seem to solve my problen. meaning:

mkpasswd -l -d > /etc/passwd

and 

mkgroup  -l -d > /etc/group

(or using any other flags) does not make any difference...

Cheers,
Kare

Re: Problems with mkpasswd and mkgroup

[Jon Clugston]

2011/10/13 Edvardsen Kåre <kare.edvardsen@uit.no>:
> Greetings, Kеre Edvardsen!
>
>> I've installed cygwin "system wide" on a client (W7 32b) from an account
>> with full Administrators privileges. However, opening a Bash shell (or
>> xterm) as another user prompts:
>
>>      Your group is currently "mkpasswd".  This indicates that your
>>      gid is not in /etc/group and your uid is not in /etc/passwd
>
>>      The /etc/passwd (and possibly /etc/group) files should be rebuilt.
>>      See the man pages for mkpasswd and mkgroup then, for example, run
>
>>      mkpasswd -l [-d] > /etc/passwd
>>      mkgroup  -l [-d] > /etc/group
>
>>      Note that the -d switch is necessary for domain users.
>
>> Before asking too many questions I should inform you that the settings
>> etc. for the various users on the W7 client resides on a separat server.
>> I've tried various suggestions found in the lists, but with no success.
>> Obviously, there is a solution to my problem, but I'm struggling to find
>> the right one.
>
> It's in front of your eyes.
> Don't you see it?
>
>>      mkpasswd -l [-d] > /etc/passwd
>>      mkgroup  -l [-d] > /etc/group
>
> I wish it was that simple...
>
> As I said, I've tried various solutions (you'll find several posts around the topic in the list) but non of them seem to solve my problen. meaning:
>
> mkpasswd -l -d > /etc/passwd
>
> and
>
> mkgroup  -l -d > /etc/group
>
> (or using any other flags) does not make any difference...
>
> Cheers,
> Kare
>

What is the contents of the "/etc/password" and "/etc/group" files
after you run the "mkpasswd/mkgroup" commands (as administrator)?

What user can log in, but isn't in the password file?

Is that user local or a domain user?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Problems with mkpasswd and mkgroup

[Andrey Repin]

Greetings, Jon Clugston!

> Is that user local or a domain user?
-d switch means dumping domain users.

But I think the OP missed the part, where it should be run from superadmin
user.


--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 14.10.2011, <04:21>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

RE: Problems with mkpasswd and mkgroup

[Edvardsen Kåre]

> What is the contents of the "/etc/password" and "/etc/group" files
> after you run the "mkpasswd/mkgroup" commands (as administrator)?

> What user can log in, but isn't in the password file?

> Is that user local or a domain user?

The Windows account name with FULL admin privileges is "servicekonto" and cygwin was installed from this account which is locally on this client and NOT a domain user.
"kae026" is the user who can log in, but isn't in the password file. 
"kae026" is a domain user.

As admnistrator:

$ mkpasswd -l -d > /etc/passwd
mkpasswd (427): [5] Access is denied.

$ less /etc/passwd

SYSTEM:*:18:544:,S-1-5-18::
LocalService:*:19:544:U-NT AUTHORITY\LocalService,S-1-5-19::
NetworkService:*:20:544:U-NT AUTHORITY\NetworkService,S-1-5-20::
Administrators:*:544:544:,S-1-5-32-544::
Administrator:unused:500:513:U-STRV8-NTF-00063\Administrator,S-1-5-21-388005049-2988697505-1062046759-500:/home/Administrator:/bin/bash
cba_anonymous:unused:1001:513:cba_anonymous,U-STRV8-NTF-00063\cba_anonymous,S-1-5-21-388005049-2988697505-1062046759-1001:/home/cba_anonymous:/bin/bash
Guest:unused:501:513:U-STRV8-NTF-00063\Guest,S-1-5-21-388005049-2988697505-1062046759-501:/home/Guest:/bin/bash
servicekonto:unused:1002:513:U-STRV8-NTF-00063\servicekonto,S-1-5-21-388005049-2988697505-1062046759-1002:/home/servicekonto:/bin/bash
/etc/passwd (END)

$ mkgroup -l -d > /etc/group
mkgroup (369): [5] Access is denied.

$ less /etc/group

SYSTEM:S-1-5-18:18:
Administrators:S-1-5-32-544:544:
Backup Operators:S-1-5-32-551:551:
Cryptographic Operators:S-1-5-32-569:569:
Distributed COM Users:S-1-5-32-562:562:
Event Log Readers:S-1-5-32-573:573:
Guests:S-1-5-32-546:546:
IIS_IUSRS:S-1-5-32-568:568:
Network Configuration Operators:S-1-5-32-556:556:
Performance Log Users:S-1-5-32-559:559:
Performance Monitor Users:S-1-5-32-558:558:
Power Users:S-1-5-32-547:547:
Remote Desktop Users:S-1-5-32-555:555:
Replicator:S-1-5-32-552:552:
Users:S-1-5-32-545:545:
None:S-1-5-21-388005049-2988697505-1062046759-513:513:
/etc/group (END)

Regards,
Kare


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Problems with mkpasswd and mkgroup

[Corinna Vinschen]

On Oct 14 07:39, Edvardsen KÃ¥re wrote:
> 
> > What is the contents of the "/etc/password" and "/etc/group" files
> > after you run the "mkpasswd/mkgroup" commands (as administrator)?
> 
> > What user can log in, but isn't in the password file?
> 
> > Is that user local or a domain user?
> 
> The Windows account name with FULL admin privileges is "servicekonto" and cygwin was installed from this account which is locally on this client and NOT a domain user.
> "kae026" is the user who can log in, but isn't in the password file. 
> "kae026" is a domain user.
> 
> As admnistrator:
> 
> $ mkpasswd -l -d > /etc/passwd
> mkpasswd (427): [5] Access is denied.
> [...]
> $ mkgroup -l -d > /etc/group
> mkgroup (369): [5] Access is denied.

That's kind of clue, isn't it?  You local administrator account
doesn't have the permissions to enumerate the accounts in AD.
Add the machine to the domain if you haven't done so already,
log in with a domain account and call `mkpasswd -d >> /etc/passwd'
and `mkgroup -d >> /etc/group'.  Note that, depending on the
security settings of your AD, not all domain users might have
the permissions to enumerate domain accounts.  If you login
with a domain admin account, you should have no problem, though.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Problems with mkpasswd and mkgroup

[Kåre Edvardsen]

On fr., 2011-10-14 at 10:29 +0200, Corinna Vinschen wrote:
> On Oct 14 07:39, Edvardsen KÃ¥re wrote:
> > 
> > > What is the contents of the "/etc/password" and "/etc/group" files
> > > after you run the "mkpasswd/mkgroup" commands (as administrator)?
> > 
> > > What user can log in, but isn't in the password file?
> > 
> > > Is that user local or a domain user?
> > 
> > The Windows account name with FULL admin privileges is "servicekonto" and cygwin was installed from this account which is locally on this client and NOT a domain user.
> > "kae026" is the user who can log in, but isn't in the password file. 
> > "kae026" is a domain user.
> > 
> > As admnistrator:
> > 
> > $ mkpasswd -l -d > /etc/passwd
> > mkpasswd (427): [5] Access is denied.
> > [...]
> > $ mkgroup -l -d > /etc/group
> > mkgroup (369): [5] Access is denied.
> 
> That's kind of clue, isn't it?  You local administrator account
> doesn't have the permissions to enumerate the accounts in AD.
> Add the machine to the domain if you haven't done so already,
> log in with a domain account and call `mkpasswd -d >> /etc/passwd'
> and `mkgroup -d >> /etc/group'.  Note that, depending on the
> security settings of your AD, not all domain users might have
> the permissions to enumerate domain accounts.  If you login
> with a domain admin account, you should have no problem, though.
> 
> 
> Corinna
> 

What does it mean to enumerate an account in AD? (or what happens?)

I guess it's a bad circle if my local admin account doesn't have the
permissions to enumerate the accounts in AD , and my domain account
doesn't have the permissions to install cygwin on the machine...if I
understand this right?

KÃ¥re


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Problems with mkpasswd and mkgroup

[Corinna Vinschen]

On Oct 17 10:24, KÃ¥re Edvardsen wrote:
> On fr., 2011-10-14 at 10:29 +0200, Corinna Vinschen wrote:
> > On Oct 14 07:39, Edvardsen KÃ¥re wrote:
> > > 
> > > > What is the contents of the "/etc/password" and "/etc/group" files
> > > > after you run the "mkpasswd/mkgroup" commands (as administrator)?
> > > 
> > > > What user can log in, but isn't in the password file?
> > > 
> > > > Is that user local or a domain user?
> > > 
> > > The Windows account name with FULL admin privileges is "servicekonto" and cygwin was installed from this account which is locally on this client and NOT a domain user.
> > > "kae026" is the user who can log in, but isn't in the password file. 
> > > "kae026" is a domain user.
> > > 
> > > As admnistrator:
> > > 
> > > $ mkpasswd -l -d > /etc/passwd
> > > mkpasswd (427): [5] Access is denied.
> > > [...]
> > > $ mkgroup -l -d > /etc/group
> > > mkgroup (369): [5] Access is denied.
> > 
> > That's kind of clue, isn't it?  You local administrator account
> > doesn't have the permissions to enumerate the accounts in AD.
> > Add the machine to the domain if you haven't done so already,
> > log in with a domain account and call `mkpasswd -d >> /etc/passwd'
> > and `mkgroup -d >> /etc/group'.  Note that, depending on the
> > security settings of your AD, not all domain users might have
> > the permissions to enumerate domain accounts.  If you login
> > with a domain admin account, you should have no problem, though.
> > 
> > 
> > Corinna
> > 
> 
> What does it mean to enumerate an account in AD? (or what happens?)

Calling the NetUserEnum/NetGroupEnum functions with the AD DC as the
first parameter.  See
http://msdn.microsoft.com/en-us/library/aa370652%28VS.85%29.aspx
http://msdn.microsoft.com/en-us/library/aa370428%28VS.85%29.aspx
In both cases, see the "Remarks" section.

> I guess it's a bad circle if my local admin account doesn't have the
> permissions to enumerate the accounts in AD , and my domain account
> doesn't have the permissions to install cygwin on the machine...if I
> understand this right?

That's why I said "login with a domain admin account", that avoids
the problems.  Also, there's no reason to believe that your normal
domain account has no permissions to enumerate AD accounts.  The
default settings on Windows are so that all authenticated domain
users have the right to enumerate AD accounts.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple