Hi Charles, On Jan 10 15:24, Charles Hedrick wrote: > We have a system that is doing a Kerberized NFS mount of directories > on Linux. We have our LDAP system set up as a mapping server, with > samaccountname added to users so that the Windows mount command does > the mount as the right user. > > ls -l causes a query that looks like > (&(objectClass=posixAccount)(uidNumber=26780))" attrs=“uid”. We sent > back a response. If there’s a local account for the user, “ls -l” > shows them. But we only have loal accounts for people who actually use > the Windows box. I’d like “ls -l” to work for everyone. Sorry, I don't understand the problem, maybe because I'm looking at it from the other side. ls -l calls stat(2). Stat(2) on NFS returns the uids and gids returned by a stat(2) call on the NFS server. ls -l then calls (basically) getpwuid(3)/getgrgid(3) which in turn ask the account server via LDAP; differently, depending on the server being AD or non-AD LDAP. If there's no mapping from a uidNumber/gidNumber to a SID in AD, nor a mapping from uidNumber/gidNumber to an account name ("uid" for users, "cn" for groups) in LDAP, Cygwin will create a mapping in memory on the fly. Example: $ ls -l foo -rwxr-xr-x 1 Unix_User+4 Unix_Group+7 47456 Oct 30 2015 foo So the fake account names are "Unix_User+" and "Unix_Group+" The Cygwin uids/gids follow a certain computation rule (details don't matter here) which is used for Samba accounts as well. Ultimately the in-memory passwd and group entries look like this: $ getent passwd Unix_User+4 Unix_User+4:*:4278190084:4278190084:U-Unix_User\4,S-1-22-1-4:/:/sbin/nologin $ getent group Unix_Group+7 Unix_Group+7:S-1-22-2-7:4278190087: > It appears that cygwin generates SIDs for entries in /etc/passwd. No, it generates the info on the fly in memory. In fact, if there's info in /etc/passwd or /etc/group, and if /etc/nsswitch.conf is set up to actually _use_ these files (*), you can override the user name to something more readable: $ echo 'MyUser:*:4278190084:4278190084:U-Unix_User\4,S-1-22-1-4:/:/sbin/nologin' >> /etc/passwd $ echo 'MyGroup:S-1-22-2-7:4278190087:' >> /etc/group [exit from Cygwin terminal, start a new one] $ ls -l foo -rwxr-xr-x 1 MyUser MyGroup 47456 Oct 30 2015 foo For the more exact details how to use /etc/nsswitch.conf and how the mapping is performed, see (*) https://cygwin.com/cygwin-ug-net/ntsec.html > How can I make it do that for kid’s returned from LDAP? I’m willing to > generate SIDs and put them in LDAP, but it doesn’t look like Cygwin is > asking for a SID. Well, it should. What happens is this: After asking the non-AD LDAP server for the account name, it asks the account fetching algorithm for that name from scratch. This depends on the /etc/nsswitch.conf settings, of course (*). Assuming "passwd: files db", it first checks the local /etc/passwd file for a matching entry for that account name, then the OS, preferring AD on an AD member machine, then local SAM. Does this help? Corinna -- Corinna Vinschen Cygwin Maintainer