mkpasswd: option to force the 'primary' domain?

mkpasswd: option to force the 'primary' domain?

[Tim Magee]

Now then,

Since Cygwin 1.7.34 dropped, mkpasswd has been problematic for us.  Our 
problem is with the way user names pulled from outside the primary 
domain get decorated.  My question is: will there ever be a way to tell 
mkpasswd/mkgroup "make <some non-primary domain> the one whose users get 
undecorated names"?

We have Windows machines in one AD domain, and all our users in a 
different AD domain.  According to the 'POSIX accounts, permissions and 
security' page, the machine's domain is considered the primary one. 
"mkpasswd -d" will generate undecorated names for that domain, and 
decorated names for any other named domain.

We use SSH-based tools a great deal here, and we use Cygwin to make our 
Windows machines behave like members of our POSIX machine community, so 
having our usernames appear the same on all machines is very desirable.

I think I can recreate the pre-1.74 behaviour with a little seddery, but 
I'd bet folding money that my seddery isn't future-proof.  So, are 
mkpasswd/mkgroup ever likely to get an option to force the "undecorated 
users" domain?

Thanks,
Tim

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: mkpasswd: option to force the 'primary' domain?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1852 bytes --]

On Mar 20 11:58, Tim Magee wrote:
> Now then,
> 
> Since Cygwin 1.7.34 dropped, mkpasswd has been problematic for us.  Our
> problem is with the way user names pulled from outside the primary domain
> get decorated.  My question is: will there ever be a way to tell
> mkpasswd/mkgroup "make <some non-primary domain> the one whose users get
> undecorated names"?
> 
> We have Windows machines in one AD domain, and all our users in a different
> AD domain.  According to the 'POSIX accounts, permissions and security'
> page, the machine's domain is considered the primary one. "mkpasswd -d" will
> generate undecorated names for that domain, and decorated names for any
> other named domain.
> 
> We use SSH-based tools a great deal here, and we use Cygwin to make our
> Windows machines behave like members of our POSIX machine community, so
> having our usernames appear the same on all machines is very desirable.
> 
> I think I can recreate the pre-1.74 behaviour with a little seddery, but I'd
> bet folding money that my seddery isn't future-proof.  So, are
> mkpasswd/mkgroup ever likely to get an option to force the "undecorated
> users" domain?

I'm not planning this.  The idea is that mkpasswd/mkgroup create account
names compatible with the "db"-based accounts and everyhing else is left
to post-creation manipulation.

Having said that, the new account handling is supposed to be stable on
the user level for quite some time, ideally at least as many years as
the old /etc/passwd&/etc/group-only based code.  Therefore using some
sed script to filter the output of mkpasswd/mkgroup if you dislike the
new account handling is the way to go.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: mkpasswd: option to force the 'primary' domain?

[Tim Magee]

On 20/03/15 18:10, Corinna Vinschen wrote:
> On Mar 20 11:58, Tim Magee wrote:
>> Now then,
>>
>> Since Cygwin 1.7.34 dropped, mkpasswd has been problematic for us.  Our
>> problem is with the way user names pulled from outside the primary domain
>> get decorated.  My question is: will there ever be a way to tell
>> mkpasswd/mkgroup "make <some non-primary domain> the one whose users get
>> undecorated names"?
>>
>> We have Windows machines in one AD domain, and all our users in a different
>> AD domain.  According to the 'POSIX accounts, permissions and security'
>> page, the machine's domain is considered the primary one. "mkpasswd -d" will
>> generate undecorated names for that domain, and decorated names for any
>> other named domain.
>>
>> We use SSH-based tools a great deal here, and we use Cygwin to make our
>> Windows machines behave like members of our POSIX machine community, so
>> having our usernames appear the same on all machines is very desirable.
>>
>> I think I can recreate the pre-1.74 behaviour with a little seddery, but I'd
>> bet folding money that my seddery isn't future-proof.  So, are
>> mkpasswd/mkgroup ever likely to get an option to force the "undecorated
>> users" domain?
>
> I'm not planning this.  The idea is that mkpasswd/mkgroup create account
> names compatible with the "db"-based accounts and everyhing else is left
> to post-creation manipulation.
>
> Having said that, the new account handling is supposed to be stable on
> the user level for quite some time, ideally at least as many years as
> the old /etc/passwd&/etc/group-only based code.  Therefore using some
> sed script to filter the output of mkpasswd/mkgroup if you dislike the
> new account handling is the way to go.
>
>
> Corinna
>
Thanks, I feel more confident of my seddery already!

In case anyone else with a similar setup reads this thread: using sed to 
trim off the domain decoration for the chosen domain is WFMing like a 
champ, but you'll want to make sure you're not creating name clashes. 
It's safe for us because we only have users we care about in one domain.

Tim


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: mkpasswd: option to force the 'primary' domain?

[Linda Walsh]

Corinna Vinschen wrote:
> On Mar 20 11:58, Tim Magee wrote:
>> Now then,
>>
>> Since Cygwin 1.7.34 dropped, mkpasswd has been problematic for us.  Our
>> problem is with the way user names pulled from outside the primary domain
>> get decorated.  My question is: will there ever be a way to tell
>> mkpasswd/mkgroup "make <some non-primary domain> the one whose users get
>> undecorated names"?
----
> I'm not planning this.  The idea is that mkpasswd/mkgroup create account
> names compatible with the "db"-based accounts and everyhing else is left
> to post-creation manipulation.
---
     I never quite managed to understand this -- as my pw/grp files on
my client machines were already in sync with my domain setup and
worked as it would in a real Win Domain (i.e. Domain applied when I signed
into a machine that wasn't the domain controller and was using domain
credentials).  If I logged into a machine with a local account, there has never
been a domain name to have to bother with -- so for me user-logins were prefixed
with the domain only when they were in a domain.

This has been the way windows has worked for as long as I've run a domain server --
if a local machine is not in a domain, then it's username-only, but if it is
in a domain, then I'd need to type-or-add the local-machine name to NOT login
via the domain creds.

For local accounts, the RID==the UID, for domain accounts the RID==the UID on
the domain controller.  

Do I understand that cygwin is no longer compatible with window's (and samba's) 
naming convention?  That would be a pain.



 

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: mkpasswd: option to force the 'primary' domain?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2063 bytes --]

On Mar 24 13:29, Linda Walsh wrote:
> Corinna Vinschen wrote:
> >On Mar 20 11:58, Tim Magee wrote:
> >>Now then,
> >>
> >>Since Cygwin 1.7.34 dropped, mkpasswd has been problematic for us.  Our
> >>problem is with the way user names pulled from outside the primary domain
> >>get decorated.  My question is: will there ever be a way to tell
> >>mkpasswd/mkgroup "make <some non-primary domain> the one whose users get
> >>undecorated names"?
> ----
> >I'm not planning this.  The idea is that mkpasswd/mkgroup create account
> >names compatible with the "db"-based accounts and everyhing else is left
> >to post-creation manipulation.
> ---
>     I never quite managed to understand this -- as my pw/grp files on
> my client machines were already in sync with my domain setup and
> worked as it would in a real Win Domain (i.e. Domain applied when I signed
> into a machine that wasn't the domain controller and was using domain
> credentials).  If I logged into a machine with a local account, there has never
> been a domain name to have to bother with -- so for me user-logins were prefixed
> with the domain only when they were in a domain.
> 
> This has been the way windows has worked for as long as I've run a domain server --
> if a local machine is not in a domain, then it's username-only, but if it is
> in a domain, then I'd need to type-or-add the local-machine name to NOT login
> via the domain creds.
> 
> For local accounts, the RID==the UID, for domain accounts the RID==the UID on
> the domain controller.
> 
> Do I understand that cygwin is no longer compatible with window's (and
> samba's) naming convention?  That would be a pain.

Did you go to the trouble to read the new documentation under
https://cygwin.com/cygwin-ug-net/ntsec.html?  It's all explained there.
If you don't like it, use passwd and group files with changed user names.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]