From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 99097 invoked by alias); 15 Feb 2019 21:38:18 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 99090 invoked by uid 89); 15 Feb 2019 21:38:18 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-1.6 required=5.0 tests=BAYES_00,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.2 spammy=inglis, Inglis, reader, discretion X-HELO: smtp-out-no.shaw.ca Received: from smtp-out-no.shaw.ca (HELO smtp-out-no.shaw.ca) (64.59.134.9) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 15 Feb 2019 21:38:16 +0000 Received: from [192.168.1.114] ([24.64.172.44]) by shaw.ca with ESMTP id ulBWgoTvy8uQmulBXg0G3V; Fri, 15 Feb 2019 14:38:15 -0700 Reply-To: Brian.Inglis@SystematicSw.ab.ca Subject: Re: Windows to Cygwin username mapping: Domain before local account when duplicate name? To: cygwin@cygwin.com References: <50cba8d1-4794-8db9-d1f3-ab9476421db7@gmx.com> <20190215163817.GI2702@calimero.vinschen.de> <20190215202936.GL2702@calimero.vinschen.de> <20190215204326.GO2702@calimero.vinschen.de> From: Brian Inglis Openpgp: preference=signencrypt Message-ID: <3bace8f4-1097-9245-10e9-1ed54d1014f3@SystematicSw.ab.ca> Date: Fri, 15 Feb 2019 21:48:00 -0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2019-02/txt/msg00212.txt.bz2 On 2019-02-15 13:59, Bill Stewart wrote: > On Fri, Feb 15, 2019 at 1:43 PM Corinna Vinschen wrote: >> More specific as the original text? I'm hard pressed to accomplish >> that. Take note of the "domain member machine" property. > I think I see the problem. The list I posted (above the one you are > apparently referring to) has the search in a different order. > The section that starts with "Let's discuss the SID<=>uid/gid mapping > first. Here's how it works." states this order: > * Well-known SIDs in the NT_AUTHORITY domain of the S-1-5-RID type > * Other well-known SIDs in the NT_AUTHORITY domain (S-1-5-X-RID) > * Other well-known SIDs > * Logon SIDs > * Accounts from the local machine's user DB (SAM) > * Accounts from the machine's primary domain > * Accounts from a trusted domain of the machine's primary domain > In this list, local machine accounts are listed before domain accounts. > Underneath that, there's a second section with examples that starts > with "Now we have a semi-bijective mapping..." that has this order: > * Well-known and builtin accounts will be named as in Windows: > "SYSTEM", "LOCAL", "Medium Mandatory Level", ... > * If the machine is not a domain member machine, only local accounts > can be resolved into names, so for ease of use, just the account names > are used as Cygwin user/group names: > "corinna", "bigfoot", "None", ... > * If the machine is a domain member machine, all accounts from the > primary domain of the machine are mapped to Cygwin names without > domain prefix: > "corinna", "bigfoot", "Domain Users", ... > while accounts from other domains are prepended by their domain: > "DOMAIN1+corinna", "DOMAIN2+bigfoot", "DOMAIN3+Domain Users", ... > * Local machine accounts of a domain member machine get a Cygwin user > name the same way as accounts from another domain: The local machine > name gets prepended: > "MYMACHINE+corinna", "MYMACHINE+bigfoot", "MYMACHINE+None", ... > * If LookupAccountSid fails, Cygwin checks the accounts against the > known trusted domains. If the account is from one of the trusted > domains, an artificial account name is created. It consists of the > domain name, and a special name created from the account RID: > In the second list, it says domains are first before the local machine. > I was assuming the first section is an orderly sequence of searching, > since that's usually how Windows works. > The second section with the examples seems to be a different order, > and would seems to be the order Cygwin actually uses. > I was just wondering if that's by design or by accident, since it's > different from the typical order. What it says is that an unprefixed name in a domain defaults to the name as if prefixed by the primary domain, so if you want the local SAM entry on a domain machine ($USERDOMAIN != $COMPUTERNAME), you must prefix the name with the local machine name followed by "+". Should the local machine name provided be $COMPUTERNAME or $HOSTNAME? Windows normally allows "." to be used to refer to the local machine name in a domain context - can anyone confirm or deny whether this works in Cygwin or with getent? -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple