From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 36576 invoked by alias); 15 Feb 2019 16:38:22 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 36543 invoked by uid 89); 15 Feb 2019 16:38:22 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-100.9 required=5.0 tests=BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=consists X-HELO: mout.kundenserver.de Received: from mout.kundenserver.de (HELO mout.kundenserver.de) (212.227.17.10) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 15 Feb 2019 16:38:21 +0000 Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue106 [212.227.15.183]) with ESMTPSA (Nemesis) id 1MWBC8-1gaErL3xuM-00XdYd for ; Fri, 15 Feb 2019 17:38:18 +0100 Received: by calimero.vinschen.de (Postfix, from userid 500) id 1FFF4A80749; Fri, 15 Feb 2019 17:38:17 +0100 (CET) Date: Fri, 15 Feb 2019 16:51:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: Windows to Cygwin username mapping: Domain before local account when duplicate name? Message-ID: <20190215163817.GI2702@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <50cba8d1-4794-8db9-d1f3-ab9476421db7@gmx.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="2FkSFaIQeDFoAt0B" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-SW-Source: 2019-02/txt/msg00188.txt.bz2 --2FkSFaIQeDFoAt0B Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 2158 On Feb 15 08:34, Bill Stewart wrote: > On Fri, Feb 15, 2019 at 2:32 AM Sam Edge (Cygwin) wrote: >=20 > > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-how explains > > in more detail. >=20 > I had already read that, and it seems to indicate that it asks the > local machine first, but that doesn't seem to be happening when > there's a duplication. >=20 > I have a domain-joined machine, and I have a user account named > testuser that exists on the local computer and also in the domain. >=20 > 'getent passwd testuser' returns the domain account, not the local > computer account. >=20 > Hence the question. There's a documented ruleset which is strictly followed https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-how: Well-known and builtin accounts will be named as in Windows: "SYSTEM", "LOCAL", "Medium Mandatory Level", ... If the machine is not a domain member machine, only local accounts can be resolved into names, so for ease of use, just the account names are used as Cygwin user/group names: "corinna", "bigfoot", "None", ... If the machine is a domain member machine, all accounts from the primary domain of the machine are mapped to Cygwin names without domain prefix: "corinna", "bigfoot", "Domain Users", ... while accounts from other domains are prepended by their domain: "DOMAIN1+corinna", "DOMAIN2+bigfoot", "DOMAIN3+Domain Users", ... Local machine accounts of a domain member machine get a Cygwin user name the same way as accounts from another domain: The local machine name gets prepended: "MYMACHINE+corinna", "MYMACHINE+bigfoot", "MYMACHINE+None", ... If LookupAccountSid fails, Cygwin checks the accounts against the known trusted domains. If the account is from one of the trusted domains, an artificial account name is created. It consists of the domain name, and a special name created from the account RID: "MY_DOM+User(1234)", "MY_DOM+Group(5678)" Otherwise we know nothing about this SID, so it will be mapped to the fake accounts Unknown+User/Unknown+Group with uid/gid -1 HTH, Corinna --=20 Corinna Vinschen Cygwin Maintainer --2FkSFaIQeDFoAt0B Content-Type: application/pgp-signature; name="signature.asc" Content-length: 833 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlxm6vgACgkQ9TYGna5E T6BiYg/+IMNnPPgiLwjsI+3H5U8ICO8GAzyCtj+Urlp+kpcAQg/Koo1rsbVrG4gz +nU2nVR+scXIKEl+SlyL2t4RUT9Zn675o6TSzhny9F1R6VByeyia5euH21LKwsIt aT5I9YyYCUruyLD8hXaMO/+eZBc9eS4T4HdX83JyZAEyTsdVkLK5GfWmGvQ9Yspu I0cRm0MSa3AKN90DqFd+Fuq1MBUiGi09KTqEhnFxqXP9icbu3IeXDaT2FlnzA4+g w952WiHiW7HezbCvkQoh3KEAxqcuhIEOfF8cy9Bc6Pcdil/+ufgiMIJ2aXvRclsA C8bWF+g9RMvRtKrE2+gXuCtirFM6hnQlJ8TLB5NfpS3vp34QDdrvmrB8qjTNHnwF 8654RCgjTYIqrWP1pID0LQpEMzbEx8NJgPklADQyRNVbsoBLvTrpX/kiDoGRhCBM 7vPCZYmP+wbEYfkMFfBPFn+M5tCJc8Z9uF4+RxfXDV3zDG67iLhDLkRFznTGLgT+ mhSzMno82zlcOMq0D0CASv0WKxRSt0QQwAHpODAbVj2odYTNx0nKemLgng3JfSDo Jh1OFhN0FsQ2u5lf/Q4p9mqY4jS8SejKR3nQngiiwiwAxRZ9y11I44TvHi0OZ6Iz K0FXNHBSldx9+e+ZpjFYRNSxxzWzU5HZfi4v9Q8FlU/ehdvxjGU= =4Utn -----END PGP SIGNATURE----- --2FkSFaIQeDFoAt0B--