RFC2307 accounts

RFC2307 accounts

[Marc Rechte]

[-- Attachment #1: Type: text/plain, Size: 860 bytes --]

Hello,

  Trying to set RFC2307 accounts, using unix schema in /etc/nsswitch.conf.

UID/GID do not reflect what is stored in AD (using POSIX attributes), 
they still follow the 0x100000 + RID scheme 
(https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping)

Any idea ?

Thanks

In cygwin bash:

$ uname -a
CYGWIN_NT-6.1 TOURNESOL 2.4.1(0.293/5/3) 2016-01-24 11:26 x86_64 Cygwin

$ getent passwd mrechte
mrechte:*:1050005:1049089:U-STUDELEC-SA\mrechte,S-1-5-21-497920593-2320919703-1315762108-1429:/home/mrechte:/bin/bash

$ cat /etc/nsswitch.conf
passwd:   files db
group:    files db
db_enum:  cache builtin
db_home: unix
db_shell: unix
db_gecos: unix

On a Linux box attached to the domain, using RFC2307
$ getent passwd mrechte
mrechte:*:12007:11000::/home/mrechte:/bin/bash

This is the correct values ie. 12007/11000


[-- Attachment #2: Signature cryptographique S/MIME --]
[-- Type: application/pkcs7-signature, Size: 4163 bytes --]

Re: RFC2307 accounts

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1546 bytes --]

On Mar  8 17:30, Marc Rechte wrote:
> Hello,
> 
>  Trying to set RFC2307 accounts, using unix schema in /etc/nsswitch.conf.
> 
> UID/GID do not reflect what is stored in AD (using POSIX attributes), they
> still follow the 0x100000 + RID scheme
> (https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping)
> 
> Any idea ?
> 
> Thanks
> 
> In cygwin bash:
> 
> $ uname -a
> CYGWIN_NT-6.1 TOURNESOL 2.4.1(0.293/5/3) 2016-01-24 11:26 x86_64 Cygwin
> 
> $ getent passwd mrechte
> mrechte:*:1050005:1049089:U-STUDELEC-SA\mrechte,S-1-5-21-497920593-2320919703-1315762108-1429:/home/mrechte:/bin/bash
> 
> $ cat /etc/nsswitch.conf
> passwd:   files db
> group:    files db
> db_enum:  cache builtin
> db_home: unix
> db_shell: unix
> db_gecos: unix
> 
> On a Linux box attached to the domain, using RFC2307
> $ getent passwd mrechte
> mrechte:*:12007:11000::/home/mrechte:/bin/bash
> 
> This is the correct values ie. 12007/11000

The result is correct, too.  The uid/gid mapping is the mapping from
Windows SID to Cygwin uid/gid, so the uid/gid values reflect the normal
values as computed from the SIDs.

The RFC2307 uid/gid mapping has only one purpose:  Used on NFS or Samba
shares, Cygwin knows that uid 12007 is you.  So during file handling
Cygwin internally maps uid 12007 on the remote FS to the Cygwin uid
1050005 and vice versa.


HTH,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: RFC2307 accounts

[Andrey Repin]

Greetings, Marc Rechte!

> OK, I noticed that. Now it brings me a problem using rsync on cygwin.

> On cygwin:
> $ cat /etc/rsyncd.conf
> [test]
>          path = /cygdrive/c/tmp
>          comment = zone de test
>          fake super = yes
>          read only = no

> On the Linux box:
> # ls -l /home/tunix/
> ...
> drwxr-xr-x  3 tunix root                     4096  9 mars  12:23 resto_win
> -rw-rw-r--+ 1 tunix utilisateurs_du_domaine 82882  9 mars  10:56 tmp.ps

> #  rsync -avz --acls --delete /home rsync://192.168.0.23/test
> ..
> # rsync -avz --acls --delete rsync://192.168.0.23/test/home/tunix resto_win/
> ...
> # ls -l /home/tunix/resto_win/tunix/
> ...
> drwx------ 2 1050005 1049089  4096  9 mars  12:14 resto_win
> -rw------- 1 1050005 1049089 82882  9 mars  10:56 tmp.ps

> You will notice that owner, group and ACLs  are *not* restored properly

> Am I demanding too much to cygwin ?

No, you're demanding too much of rsync, which wasn't built with sane
permission system in mind.
Use SSH or direct (cifs) copying. Then the names will match.
Your problem is that you expect Cygwin to be *NIX, but in fact, it isn't. It
is a Windows application, and it follows Windows permission model. (Which,
IMO, is saner, than POSIX one.)


-- 
With best regards,
Andrey Repin
Thursday, March 10, 2016 00:58:07

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: RFC2307 accounts

[Marc Rechte]

[-- Attachment #1: Type: text/plain, Size: 2438 bytes --]



Le 09/03/2016 16:58, Corinna Vinschen a écrit :
> On Mar  9 12:50, Marc Rechte wrote:
>> Le 09/03/2016 12:27, Corinna Vinschen a écrit :
>>> Keep in mind that we have two mappings.  The main mapping is the mapping
>>> between Windows SID and a computed uid/gid value used in Cygwin which
>>> allows fast mapping in both directions.  A computed value drops the
>>> requirement to access an LDAP server for the mapping, which is
>>> especially bad when not using AD as mapping server.
>>>
>>> Please read https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nfs
>>> and https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-samba
>>> again.  The RFC 2307 mapping only comes into play when reading meta
>>> information from an NFS or Samba share.  The unix uid/gid values have to
>>> be mapped to a Windows user (better: SID) in the first place, not to the
>>> Cygwin uid/gid values.  The actual uid/gid values are irrelevant.  Worse,
>>> using the RFC 2307 values might collide with other, computed uid/gid
>>> values.
>>>
>>>
>>> Corinna
>>>
>> OK, I noticed that. Now it brings me a problem using rsync on cygwin.
>>
>> On cygwin:
>> $ cat /etc/rsyncd.conf
>> [test]
>>          path = /cygdrive/c/tmp
>>          comment = zone de test
>>          fake super = yes
>>          read only = no
>>
>> On the Linux box:
>> # ls -l /home/tunix/
>> ...
>> drwxr-xr-x  3 tunix root                     4096  9 mars  12:23 resto_win
>> -rw-rw-r--+ 1 tunix utilisateurs_du_domaine 82882  9 mars  10:56 tmp.ps
>>
>> #  rsync -avz --acls --delete /home rsync://192.168.0.23/test
>> ..
>> # rsync -avz --acls --delete rsync://192.168.0.23/test/home/tunix resto_win/
>> ...
>> # ls -l /home/tunix/resto_win/tunix/
>> ...
>> drwx------ 2 1050005 1049089  4096  9 mars  12:14 resto_win
>> -rw------- 1 1050005 1049089 82882  9 mars  10:56 tmp.ps
> That's an ls -ln, right?  The AD user and group names should have been
> resolved.
No "ls -l", this is on the Linux box after restoration. uid/gid are the 
ones assigned in cygwin and become irrelevant here.
>
>> You will notice that owner, group and ACLs  are *not* restored properly
>>
>> Am I demanding too much to cygwin ?
> Off the top of my head, yes.  The rfc2307 uid/gid mapping only works
> when accessing the filesystem directly from Cygwin.  By using rsync, the
> info is transmitted over the net.
>
>
> Corinna
>



[-- Attachment #2: Signature cryptographique S/MIME --]
[-- Type: application/pkcs7-signature, Size: 4163 bytes --]

Re: RFC2307 accounts

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2349 bytes --]

On Mar  9 12:50, Marc Rechte wrote:
> Le 09/03/2016 12:27, Corinna Vinschen a écrit :
> >Keep in mind that we have two mappings.  The main mapping is the mapping
> >between Windows SID and a computed uid/gid value used in Cygwin which
> >allows fast mapping in both directions.  A computed value drops the
> >requirement to access an LDAP server for the mapping, which is
> >especially bad when not using AD as mapping server.
> >
> >Please read https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nfs
> >and https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-samba
> >again.  The RFC 2307 mapping only comes into play when reading meta
> >information from an NFS or Samba share.  The unix uid/gid values have to
> >be mapped to a Windows user (better: SID) in the first place, not to the
> >Cygwin uid/gid values.  The actual uid/gid values are irrelevant.  Worse,
> >using the RFC 2307 values might collide with other, computed uid/gid
> >values.
> >
> >
> >Corinna
> >
> 
> OK, I noticed that. Now it brings me a problem using rsync on cygwin.
> 
> On cygwin:
> $ cat /etc/rsyncd.conf
> [test]
>         path = /cygdrive/c/tmp
>         comment = zone de test
>         fake super = yes
>         read only = no
> 
> On the Linux box:
> # ls -l /home/tunix/
> ...
> drwxr-xr-x  3 tunix root                     4096  9 mars  12:23 resto_win
> -rw-rw-r--+ 1 tunix utilisateurs_du_domaine 82882  9 mars  10:56 tmp.ps
> 
> #  rsync -avz --acls --delete /home rsync://192.168.0.23/test
> ..
> # rsync -avz --acls --delete rsync://192.168.0.23/test/home/tunix resto_win/
> ...
> # ls -l /home/tunix/resto_win/tunix/
> ...
> drwx------ 2 1050005 1049089  4096  9 mars  12:14 resto_win
> -rw------- 1 1050005 1049089 82882  9 mars  10:56 tmp.ps

That's an ls -ln, right?  The AD user and group names should have been
resolved.

> You will notice that owner, group and ACLs  are *not* restored properly
> 
> Am I demanding too much to cygwin ?

Off the top of my head, yes.  The rfc2307 uid/gid mapping only works
when accessing the filesystem directly from Cygwin.  By using rsync, the
info is transmitted over the net.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: RFC2307 accounts

[Marc Rechte]

[-- Attachment #1: Type: text/plain, Size: 2955 bytes --]

Le 09/03/2016 12:27, Corinna Vinschen a écrit :
> On Mar  9 11:42, Marc Rechte wrote:
>> Le 09/03/2016 10:14, Mark Geisert a écrit :
>>> Marc Rechte wrote:
>>>> Hello,
>>>>
>>>>    Trying to set RFC2307 accounts, using unix schema in
>>>> /etc/nsswitch.conf.
>>> [...]
>>>
>>> Your original post of this material was answered about 30 minutes after
>>> your post.  Kindly follow up there...
>>>
>>> https://cygwin.com/ml/cygwin/2016-03/msg00076.html
>> Sorry, I did not get that answer emailed to me (some confusion during the
>> subscription).
>>
>> I am not clear with answer given by Corinna.
>>
>> The idea behind RFC2307, imho is to have a consistent UID/GID between
>> systems which have joined a domain. This is what we achieved in our domain,
>> where a user login into whatever Linux box, gets the same uid/gid. One would
>> expect the same behaviour in cygwin (on a joined machine), wouldn't he ?
> That's not the idea behind the uid/gid mapping.  You might have noticed
> that "unix" is not used as a keyword in the passwd and group settings
> in /etc/nsswitch.conf, only in the db_home, db_shell, and db_gecos settings.
>
> Keep in mind that we have two mappings.  The main mapping is the mapping
> between Windows SID and a computed uid/gid value used in Cygwin which
> allows fast mapping in both directions.  A computed value drops the
> requirement to access an LDAP server for the mapping, which is
> especially bad when not using AD as mapping server.
>
> Please read https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nfs
> and https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-samba
> again.  The RFC 2307 mapping only comes into play when reading meta
> information from an NFS or Samba share.  The unix uid/gid values have to
> be mapped to a Windows user (better: SID) in the first place, not to the
> Cygwin uid/gid values.  The actual uid/gid values are irrelevant.  Worse,
> using the RFC 2307 values might collide with other, computed uid/gid
> values.
>
>
> Corinna
>

OK, I noticed that. Now it brings me a problem using rsync on cygwin.

On cygwin:
$ cat /etc/rsyncd.conf
[test]
         path = /cygdrive/c/tmp
         comment = zone de test
         fake super = yes
         read only = no

On the Linux box:
# ls -l /home/tunix/
...
drwxr-xr-x  3 tunix root                     4096  9 mars  12:23 resto_win
-rw-rw-r--+ 1 tunix utilisateurs_du_domaine 82882  9 mars  10:56 tmp.ps

#  rsync -avz --acls --delete /home rsync://192.168.0.23/test
..
# rsync -avz --acls --delete rsync://192.168.0.23/test/home/tunix resto_win/
...
# ls -l /home/tunix/resto_win/tunix/
...
drwx------ 2 1050005 1049089  4096  9 mars  12:14 resto_win
-rw------- 1 1050005 1049089 82882  9 mars  10:56 tmp.ps

You will notice that owner, group and ACLs  are *not* restored properly

Am I demanding too much to cygwin ?

Thanks for your time.

Marc


[-- Attachment #2: Signature cryptographique S/MIME --]
[-- Type: application/pkcs7-signature, Size: 4163 bytes --]

Re: RFC2307 accounts

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2101 bytes --]

On Mar  9 11:42, Marc Rechte wrote:
> Le 09/03/2016 10:14, Mark Geisert a écrit :
> >Marc Rechte wrote:
> >>Hello,
> >>
> >>   Trying to set RFC2307 accounts, using unix schema in
> >>/etc/nsswitch.conf.
> >[...]
> >
> >Your original post of this material was answered about 30 minutes after
> >your post.  Kindly follow up there...
> >
> >https://cygwin.com/ml/cygwin/2016-03/msg00076.html
> Sorry, I did not get that answer emailed to me (some confusion during the
> subscription).
> 
> I am not clear with answer given by Corinna.
> 
> The idea behind RFC2307, imho is to have a consistent UID/GID between
> systems which have joined a domain. This is what we achieved in our domain,
> where a user login into whatever Linux box, gets the same uid/gid. One would
> expect the same behaviour in cygwin (on a joined machine), wouldn't he ?

That's not the idea behind the uid/gid mapping.  You might have noticed
that "unix" is not used as a keyword in the passwd and group settings
in /etc/nsswitch.conf, only in the db_home, db_shell, and db_gecos settings.

Keep in mind that we have two mappings.  The main mapping is the mapping
between Windows SID and a computed uid/gid value used in Cygwin which
allows fast mapping in both directions.  A computed value drops the
requirement to access an LDAP server for the mapping, which is
especially bad when not using AD as mapping server.

Please read https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nfs
and https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-samba
again.  The RFC 2307 mapping only comes into play when reading meta
information from an NFS or Samba share.  The unix uid/gid values have to
be mapped to a Windows user (better: SID) in the first place, not to the
Cygwin uid/gid values.  The actual uid/gid values are irrelevant.  Worse,
using the RFC 2307 values might collide with other, computed uid/gid
values.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: RFC2307 accounts

[Marc Rechte]

[-- Attachment #1: Type: text/plain, Size: 817 bytes --]

Le 09/03/2016 10:14, Mark Geisert a écrit :
> Marc Rechte wrote:
>> Hello,
>>
>>    Trying to set RFC2307 accounts, using unix schema in 
>> /etc/nsswitch.conf.
> [...]
>
> Your original post of this material was answered about 30 minutes 
> after your post.  Kindly follow up there...
>
> https://cygwin.com/ml/cygwin/2016-03/msg00076.html
Sorry, I did not get that answer emailed to me (some confusion during 
the subscription).

I am not clear with answer given by Corinna.

The idea behind RFC2307, imho is to have a consistent UID/GID between 
systems which have joined a domain. This is what we achieved in our 
domain, where a user login into whatever Linux box, gets the same 
uid/gid. One would expect the same behaviour in cygwin (on a joined 
machine), wouldn't he ?

Thanks




[-- Attachment #2: Signature cryptographique S/MIME --]
[-- Type: application/pkcs7-signature, Size: 4163 bytes --]

Re: RFC2307 accounts

[Mark Geisert]

Marc Rechte wrote:
> Hello,
>
>    Trying to set RFC2307 accounts, using unix schema in /etc/nsswitch.conf.
[...]

Your original post of this material was answered about 30 minutes after your 
post.  Kindly follow up there...

https://cygwin.com/ml/cygwin/2016-03/msg00076.html

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

RFC2307 accounts

[Marc Rechte]

[-- Attachment #1: Type: text/plain, Size: 863 bytes --]

Hello,

   Trying to set RFC2307 accounts, using unix schema in /etc/nsswitch.conf.

UID/GID do not reflect what is stored in AD (using POSIX attributes), 
they still follow the 0x100000 + RID scheme 
(https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping)

Any idea ?

Thanks

In cygwin bash:

$ uname -a
CYGWIN_NT-6.1 TOURNESOL 2.4.1(0.293/5/3) 2016-01-24 11:26 x86_64 Cygwin

$ getent passwd mrechte
mrechte:*:1050005:1049089:U-STUDELEC-SA\mrechte,S-1-5-21-497920593-2320919703-1315762108-1429:/home/mrechte:/bin/bash

$ cat /etc/nsswitch.conf
passwd:   files db
group:    files db
db_enum:  cache builtin
db_home: unix
db_shell: unix
db_gecos: unix

On a Linux box attached to the domain, using RFC2307
$ getent passwd mrechte
mrechte:*:12007:11000::/home/mrechte:/bin/bash

This is the correct values ie. 12007/11000



[-- Attachment #2: Signature cryptographique S/MIME --]
[-- Type: application/pkcs7-signature, Size: 4163 bytes --]