From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: Charles Hedrick <hedrick@rutgers.edu>
Cc: "cygwin@cygwin.com" <cygwin@cygwin.com>
Subject: Re: user/group mapping for NFS
Date: Thu, 10 Jan 2019 17:57:00 -0000 [thread overview]
Message-ID: <20190110175718.GN593@calimero.vinschen.de> (raw)
In-Reply-To: <0562D98D-714A-4620-878E-B37282E8F688@rutgers.edu>
[-- Attachment #1: Type: text/plain, Size: 3194 bytes --]
Hi Charles,
On Jan 10 15:24, Charles Hedrick wrote:
> We have a system that is doing a Kerberized NFS mount of directories
> on Linux. We have our LDAP system set up as a mapping server, with
> samaccountname added to users so that the Windows mount command does
> the mount as the right user.
>
> ls -l causes a query that looks like
> (&(objectClass=posixAccount)(uidNumber=26780))" attrs=“uid”. We sent
> back a response. If there’s a local account for the user, “ls -l”
> shows them. But we only have loal accounts for people who actually use
> the Windows box. I’d like “ls -l” to work for everyone.
Sorry, I don't understand the problem, maybe because I'm looking at it
from the other side.
ls -l calls stat(2). Stat(2) on NFS returns the uids and gids returned
by a stat(2) call on the NFS server. ls -l then calls (basically)
getpwuid(3)/getgrgid(3) which in turn ask the account server via LDAP;
differently, depending on the server being AD or non-AD LDAP.
If there's no mapping from a uidNumber/gidNumber to a SID in AD, nor a
mapping from uidNumber/gidNumber to an account name ("uid" for users,
"cn" for groups) in LDAP, Cygwin will create a mapping in memory on the
fly. Example:
$ ls -l foo
-rwxr-xr-x 1 Unix_User+4 Unix_Group+7 47456 Oct 30 2015 foo
So the fake account names are "Unix_User+<uid>" and "Unix_Group+<gid>"
The Cygwin uids/gids follow a certain computation rule (details don't
matter here) which is used for Samba accounts as well. Ultimately
the in-memory passwd and group entries look like this:
$ getent passwd Unix_User+4
Unix_User+4:*:4278190084:4278190084:U-Unix_User\4,S-1-22-1-4:/:/sbin/nologin
$ getent group Unix_Group+7
Unix_Group+7:S-1-22-2-7:4278190087:
> It appears that cygwin generates SIDs for entries in /etc/passwd.
No, it generates the info on the fly in memory. In fact, if there's
info in /etc/passwd or /etc/group, and if /etc/nsswitch.conf is set up
to actually _use_ these files (*), you can override the user name to
something more readable:
$ echo 'MyUser:*:4278190084:4278190084:U-Unix_User\4,S-1-22-1-4:/:/sbin/nologin' >> /etc/passwd
$ echo 'MyGroup:S-1-22-2-7:4278190087:' >> /etc/group
[exit from Cygwin terminal, start a new one]
$ ls -l foo
-rwxr-xr-x 1 MyUser MyGroup 47456 Oct 30 2015 foo
For the more exact details how to use /etc/nsswitch.conf and how the
mapping is performed, see
(*) https://cygwin.com/cygwin-ug-net/ntsec.html
> How can I make it do that for kid’s returned from LDAP? I’m willing to
> generate SIDs and put them in LDAP, but it doesn’t look like Cygwin is
> asking for a SID.
Well, it should. What happens is this: After asking the non-AD LDAP
server for the account name, it asks the account fetching algorithm for
that name from scratch. This depends on the /etc/nsswitch.conf
settings, of course (*). Assuming "passwd: files db", it first checks
the local /etc/passwd file for a matching entry for that account name,
then the OS, preferring AD on an AD member machine, then local SAM.
Does this help?
Corinna
--
Corinna Vinschen
Cygwin Maintainer
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2019-01-10 17:57 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-10 15:24 Charles Hedrick
2019-01-10 17:57 ` Corinna Vinschen [this message]
2019-01-10 20:28 ` Charles Hedrick
2019-01-11 9:17 ` Corinna Vinschen
2019-01-11 14:47 ` Charles Hedrick
2019-01-11 16:26 ` Corinna Vinschen
2019-01-10 20:43 ` Charles Hedrick
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190110175718.GN593@calimero.vinschen.de \
--to=corinna-cygwin@cygwin.com \
--cc=cygwin@cygwin.com \
--cc=hedrick@rutgers.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).