On 2019-02-15 13:59, Bill Stewart wrote: > On Fri, Feb 15, 2019 at 1:43 PM Corinna Vinschen wrote: >> More specific as the original text? I'm hard pressed to accomplish >> that. Take note of the "domain member machine" property. > I think I see the problem. The list I posted (above the one you are > apparently referring to) has the search in a different order. > The section that starts with "Let's discuss the SID<=>uid/gid mapping > first. Here's how it works." states this order: > * Well-known SIDs in the NT_AUTHORITY domain of the S-1-5-RID type > * Other well-known SIDs in the NT_AUTHORITY domain (S-1-5-X-RID) > * Other well-known SIDs > * Logon SIDs > * Accounts from the local machine's user DB (SAM) > * Accounts from the machine's primary domain > * Accounts from a trusted domain of the machine's primary domain > In this list, local machine accounts are listed before domain accounts. > Underneath that, there's a second section with examples that starts > with "Now we have a semi-bijective mapping..." that has this order: > * Well-known and builtin accounts will be named as in Windows: > "SYSTEM", "LOCAL", "Medium Mandatory Level", ... > * If the machine is not a domain member machine, only local accounts > can be resolved into names, so for ease of use, just the account names > are used as Cygwin user/group names: > "corinna", "bigfoot", "None", ... > * If the machine is a domain member machine, all accounts from the > primary domain of the machine are mapped to Cygwin names without > domain prefix: > "corinna", "bigfoot", "Domain Users", ... > while accounts from other domains are prepended by their domain: > "DOMAIN1+corinna", "DOMAIN2+bigfoot", "DOMAIN3+Domain Users", ... > * Local machine accounts of a domain member machine get a Cygwin user > name the same way as accounts from another domain: The local machine > name gets prepended: > "MYMACHINE+corinna", "MYMACHINE+bigfoot", "MYMACHINE+None", ... > * If LookupAccountSid fails, Cygwin checks the accounts against the > known trusted domains. If the account is from one of the trusted > domains, an artificial account name is created. It consists of the > domain name, and a special name created from the account RID: > In the second list, it says domains are first before the local machine. > I was assuming the first section is an orderly sequence of searching, > since that's usually how Windows works. > The second section with the examples seems to be a different order, > and would seems to be the order Cygwin actually uses. > I was just wondering if that's by design or by accident, since it's > different from the typical order.
What it says is that an unprefixed name in a domain defaults to the name as if prefixed by the primary domain, so if you want the local SAM entry on a domain machine ($USERDOMAIN != $COMPUTERNAME), you must prefix the name with the local machine name followed by "+". Should the local machine name provided be $COMPUTERNAME or $HOSTNAME? Windows normally allows "." to be used to refer to the local machine name in a domain context - can anyone confirm or deny whether this works in Cygwin or with getent? -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
