From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.200.34]) by sourceware.org (Postfix) with ESMTPS id 6F5FE385801F for ; Mon, 17 Jan 2022 19:53:25 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 6F5FE385801F Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=house.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=house.org Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 70589596 for ; Mon, 17 Jan 2022 19:53:24 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at emo01-pco.easydns.vpn Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo01-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KLIBJEmHJ4Aa for ; Mon, 17 Jan 2022 19:53:24 +0000 (UTC) Received: from tringa.house.org (S0106244bfe767d79.gv.shawcable.net [24.108.58.76]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id CCFA980DF9 for ; Mon, 17 Jan 2022 19:53:23 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: Help with standalone samba SID-uid mapping From: Chris Roehrig In-Reply-To: Date: Mon, 17 Jan 2022 11:53:21 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <402C8A93-4EE5-445A-B12A-5BF85D1EEB72@house.org> References: <064846E1-8D6D-41D2-97D9-4C3793502CEE@house.org> <7BA06F03-FCFA-492E-898F-F423F03E15F6@house.org> To: cygwin@cygwin.com X-Mailer: Apple Mail (2.1499) X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2022 19:53:27 -0000 On Mon Jan 17 2022, at 4:04 AM, Corinna Vinschen = wrote: > On Jan 14 11:57, Chris Roehrig wrote: >> On Fri Jan 14 2022, at 2:04 AM, Corinna Vinschen = wrote: >>> These look like your standard Windows SIDs, so they are your SIDs = for >>> users cristina and croehrig on Windows. They should show up as such = in >>> ls -l output, unless the SID is actuall wrong, e. g., they map to = your >>> accounts on another machine or something like that. >>=20 >> No those are the SIDs supplied by the Samba server (see below for my = local Windows SIDs). Here they are directly on the Linux machine: >> housesrv[11]% smbcacls --numeric //housesrv/Users croehrig >> Enter WORKGROUP\croehrig's password:=20 >> REVISION:1 >> CONTROL:0x9004 >> OWNER:S-1-5-21-751087815-2087572193-42305691-1000 >> GROUP:S-1-22-2-601 >> ACL:S-1-5-21-751087815-2087572193-42305691-1000:0/0x0/0x001f01ff >> ACL:S-1-22-2-601:0/0x0/0x001200a9 >> ACL:S-1-1-0:0/0x0/0x001200a9 >>=20 >> (I think that Samba now uses a more complex IDMAP algorithm than when >> the Cygwin document above was written and now provides a full domain >> component to its SIDs.) >=20 > That may be so, but in my installation, Samba reports the Unix User ID > as owner, i. e. >=20 > $ icacls \\\\server\\corinna\\foo > \\server\corinna\foo S-1-22-1-500:(R,W,D,WDAC,WO) > S-1-22-2-11125:(R) > Everyone:(R) >=20 > and that's with Samba 4.15.3. I'm doing the mapping via the AD > uidNumber and gidNumber fields. I'm using this setup for so long that = I > don't remember if I ever saw a "normal", Windows-like SID for the user > returned by Samba. I never ran winbindd, up until Samba 4.15.3, which > was the first one forcing me to do so when using AD support. I'm no Samba expert, but maybe your /var/lib/samba/private/secrets.tdb = file predates that IDMAP change...? What does 'net getdomainsid' say on your samba host? housesrv[2]% sudo net getdomainsid SID for local machine HOUSESRV is: = S-1-5-21-751087815-2087572193-42305691 SID for domain WORKGROUP is: S-1-5-21-.......... >=20 >> I just added those SIDs to /etc/passwd and /etc/groups (double >> entries now) and it now works for the user, but (oddly) not the = group: >>=20 >> tyto[6]% ls -l //housesrv/Users/ ## NB: = this is a UNC path to the samba share >> total 0 >> drwxr-xr-x 1 cristina Unix_Group+603 0 Jan 12 16:06 cristina >> drwxr-xr-x 1 croehrig Unix_Group+601 0 Jan 14 09:18 croehrig >> [...] >> tyto[10]% cat /etc/group >> croehrig:S-1-22-2-601:601: >> cristina:S-1-22-2-603:603: >> croehrig:S-1-5-21-1290748074-662758565-4273641972-1006:601: >> cristina:S-1-5-21-1290748074-662758565-4273641972-1008:603: >=20 > Hmm, that's weird. I just tried this myself. First I created a stock > /etc/group file with all local and AD accounts. Next I changed > /etc/nsswitch.conf: >=20 > - group: db > + group: files >=20 > Exit/restart Cygwin. `ls -l' now prints >=20 > -rw-r--r-- 1 corinna Unknown+Group 13342 Jan 17 10:46 = //calimero/corinna/foo >=20 > Now I add this line to /etc/group: >=20 > mygroup:S-1-22-2-11125:11125: >=20 > Exit/restart Cygwin. Now `ls -l' prints >=20 > -rw-r--r-- 1 corinna mygroup 13342 Jan 17 10:46 = //calimero/corinna/foo >=20 > So it works, apparently. Did you set `group: db' in = /etc/nsswitch.conf, > by any chance? That did the trick. My nsswitch.conf was the default (no lines; only = comments), but everything works great now once I change it to group: files Seems odd that changing it back to 'group: files db' causes the groups = to revert to the Unix_Group+601 form (as if the files weren't resolving = it satisfactorily). Thanks for your help looking into this! [Update: cygsshd service no longer permits logins (closes connection = immediately) when using 'group: files' (but it does work when running as = /var/sbin/sshd -Dd). I'll have to get syslog-ng set up to try do = debug this further...] >=20 >=20 > Corinna >=20 > --=20 > Problem reports: https://cygwin.com/problems.html > FAQ: https://cygwin.com/faq/ > Documentation: https://cygwin.com/docs.html > Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple