From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.200.34]) by sourceware.org (Postfix) with ESMTPS id 73FEA3836412 for ; Fri, 14 Jan 2022 19:57:06 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 73FEA3836412 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=house.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=house.org Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 938DF46B for ; Fri, 14 Jan 2022 19:57:05 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at emo01-pco.easydns.vpn Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo01-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Le3UVe30ilUE for ; Fri, 14 Jan 2022 19:57:05 +0000 (UTC) Received: from tringa.house.org (S0106244bfe767d79.gv.shawcable.net [24.108.58.76]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 0309D46A for ; Fri, 14 Jan 2022 19:57:04 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: Help with standalone samba SID-uid mapping From: Chris Roehrig In-Reply-To: Date: Fri, 14 Jan 2022 11:57:03 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <7BA06F03-FCFA-492E-898F-F423F03E15F6@house.org> References: <064846E1-8D6D-41D2-97D9-4C3793502CEE@house.org> To: cygwin@cygwin.com X-Mailer: Apple Mail (2.1499) X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2022 19:57:08 -0000 On Fri Jan 14 2022, at 2:04 AM, Corinna Vinschen = wrote: > On Jan 13 14:39, Chris Roehrig wrote: >> I'm trying to set up samba (standalone) following these instructions: >> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-samba >>=20 >> but I'm having no luck getting my samba user/groups to appear = correctly using the comment field as described in = the document. >>=20 >> I'm using samba 4.13.14 on Ubuntu 20.04 with security =3D user = (smbpasswd). winbindd is not installed and I'm not using any LDAP or = AD anywhere. >>=20 >> E.g. here is what is on the server (croehrig:croehrig =3D 601:601; = cristina:cristina =3D 603:603) >> housesrv[3]% ls -l /House/Users >> total 17 >> drwxr-xr-x 9 cristina cristina 22 Jan 12 16:06 cristina >> drwxr-xr-x 30 croehrig croehrig 53 Jan 13 09:47 croehrig >>=20 >>=20 >> Here are the ACLs and SIDs when looking on the windows client: >> tyto[5]% icacls \\\\housesrv\\Users\\\* >> \\housesrv\Users\cristina = S-1-5-21-751087815-2087572193-42305691-1001:(F) >> S-1-22-2-603:(RX) >> Everyone:(RX) >>=20 >> \\housesrv\Users\croehrig = S-1-5-21-751087815-2087572193-42305691-1000:(F) >> S-1-22-2-601:(RX) >> Everyone:(RX) >>=20 >> As you can see, the gid is mapping to the S-1-22-2- as described >> in the document above, but the uid is using a domain-specific SID = with >> different RIDs.=20 >=20 > These look like your standard Windows SIDs, so they are your SIDs for > users cristina and croehrig on Windows. They should show up as such = in > ls -l output, unless the SID is actuall wrong, e. g., they map to your > accounts on another machine or something like that. No those are the SIDs supplied by the Samba server (see below for my = local Windows SIDs). Here they are directly on the Linux machine: housesrv[11]% smbcacls --numeric //housesrv/Users croehrig Enter WORKGROUP\croehrig's password:=20 REVISION:1 CONTROL:0x9004 OWNER:S-1-5-21-751087815-2087572193-42305691-1000 GROUP:S-1-22-2-601 ACL:S-1-5-21-751087815-2087572193-42305691-1000:0/0x0/0x001f01ff ACL:S-1-22-2-601:0/0x0/0x001200a9 ACL:S-1-1-0:0/0x0/0x001200a9 (I think that Samba now uses a more complex IDMAP algorithm than when = the Cygwin document above was written and now provides a full domain = component to its SIDs.) I just added those SIDs to /etc/passwd and /etc/groups (double entries = now) and it now works for the user, but (oddly) not the group: tyto[6]% ls -l //housesrv/Users/ ## NB: = this is a UNC path to the samba share total 0 drwxr-xr-x 1 cristina Unix_Group+603 0 Jan 12 16:06 cristina drwxr-xr-x 1 croehrig Unix_Group+601 0 Jan 14 09:18 croehrig NB: I'm only having issues with the files on the samba share. All my = local files work fine and correctly show the user/group. Here are the SIDs on my local Windows machine (they are different on = each of my Windows clients): tyto[7]% wmic useraccount get name,sid | grep cr cristina S-1-5-21-1290748074-662758565-4273641972-1007 =20 croehrig S-1-5-21-1290748074-662758565-4273641972-1002=20 tyto[8]% wmic group get name,sid | grep cr grp-cristina = S-1-5-21-1290748074-662758565-4273641972-1008 =20 grp-croehrig = S-1-5-21-1290748074-662758565-4273641972-1006 =20 tyto[9]% cat /etc/passwd = croehrig:*:601:601:HOUSESRV\croehrig,S-1-5-21-751087815-2087572193-4230569= 1-1000:/home/croehrig:/bin/bash = cristina:*:603:603:HOUSESRV\cristina,S-1-5-21-751087815-2087572193-4230569= 1-1001:/home/cristina:/bin/bash = croehrig:*:601:601:U-TYTO\croehrig,S-1-5-21-1290748074-662758565-427364197= 2-1002:/home/croehrig:/bin/bash = cristina:*:603:603:U-TYTO\cristina,S-1-5-21-1290748074-662758565-427364197= 2-1007:/home/cristina:/bin/bash tyto[10]% cat /etc/group croehrig:S-1-22-2-601:601: cristina:S-1-22-2-603:603: croehrig:S-1-5-21-1290748074-662758565-4273641972-1006:601: cristina:S-1-5-21-1290748074-662758565-4273641972-1008:603: admin:S-1-5-21-1290748074-662758565-4273641972-1004:80: chrises:S-1-5-21-1290748074-662758565-4273641972-1003:1001: house:S-1-5-21-1290748074-662758565-4273641972-1005:1002: nobody:S-1-5-21-1290748074-662758565-4273641972-513:99: Any idea why those first two /etc/group entries are not working? The = rest work fine (on local files only of course). I tried temporarily deleting the 3rd and 4th entries in case there was = an issue with double entries but it made no difference (even after = restarting all cygwin processes). >=20 >> On the windows client I have the same users and groups set up locally >> (SAM) with appropriate SID mappings to the same uid/gids (601/603) in >> the Cygwin /etc/passwd and /etc/group. This has all been working >> well to ensure e.g. rsync preserves permissions and ownership between >> cygwin and Linux. (The windows groups are called 'grp-croehrig' and >> 'grp-cristina' since windows users and groups share a namespace, but >> they are mapped to 'croehrig' and 'cristina' in /etc/group). >>=20 >>=20 >> Here is how the SMB share looks under Cygwin: >> tyto[6]% ls -l //housesrv/Users/ >> total 0 >> drwxr-xr-x 1 Unknown+User Unix_Group+603 0 Jan 12 16:06 cristina >> drwxr-xr-x 1 Unknown+User Unix_Group+601 0 Jan 13 09:47 croehrig >=20 > Sorry, but I don't quite understand. If you have matching /etc/passwd > and /etc/group files, and your /etc/nsswitch.conf allows reading the > files, this shouldn't happen. Are the Windows SIDs correct? Are they > matching your machine? >=20 > Corinna >=20 > --=20 > Problem reports: https://cygwin.com/problems.html > FAQ: https://cygwin.com/faq/ > Documentation: https://cygwin.com/docs.html > Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple