On Mon Jan 17 2022, at 4:04 AM, Corinna Vinschen <corinna-cyg...@cygwin.com> wrote:
> On Jan 14 11:57, Chris Roehrig wrote: >> On Fri Jan 14 2022, at 2:04 AM, Corinna Vinschen <corinna-cyg...@cygwin.com> >> wrote: >>> These look like your standard Windows SIDs, so they are your SIDs for >>> users cristina and croehrig on Windows. They should show up as such in >>> ls -l output, unless the SID is actuall wrong, e. g., they map to your >>> accounts on another machine or something like that. >> >> No those are the SIDs supplied by the Samba server (see below for my local >> Windows SIDs). Here they are directly on the Linux machine: >> housesrv[11]% smbcacls --numeric //housesrv/Users croehrig >> Enter WORKGROUP\croehrig's password: >> REVISION:1 >> CONTROL:0x9004 >> OWNER:S-1-5-21-751087815-2087572193-42305691-1000 >> GROUP:S-1-22-2-601 >> ACL:S-1-5-21-751087815-2087572193-42305691-1000:0/0x0/0x001f01ff >> ACL:S-1-22-2-601:0/0x0/0x001200a9 >> ACL:S-1-1-0:0/0x0/0x001200a9 >> >> (I think that Samba now uses a more complex IDMAP algorithm than when >> the Cygwin document above was written and now provides a full domain >> component to its SIDs.) > > That may be so, but in my installation, Samba reports the Unix User ID > as owner, i. e. > > $ icacls \\\\server\\corinna\\foo > \\server\corinna\foo S-1-22-1-500:(R,W,D,WDAC,WO) > S-1-22-2-11125:(R) > Everyone:(R) > > and that's with Samba 4.15.3. I'm doing the mapping via the AD > uidNumber and gidNumber fields. I'm using this setup for so long that I > don't remember if I ever saw a "normal", Windows-like SID for the user > returned by Samba. I never ran winbindd, up until Samba 4.15.3, which > was the first one forcing me to do so when using AD support. I'm no Samba expert, but maybe your /var/lib/samba/private/secrets.tdb file predates that IDMAP change...? What does 'net getdomainsid' say on your samba host? housesrv[2]% sudo net getdomainsid SID for local machine HOUSESRV is: S-1-5-21-751087815-2087572193-42305691 SID for domain WORKGROUP is: S-1-5-21-.......... > >> I just added those SIDs to /etc/passwd and /etc/groups (double >> entries now) and it now works for the user, but (oddly) not the group: >> >> tyto[6]% ls -l //housesrv/Users/ ## NB: this is >> a UNC path to the samba share >> total 0 >> drwxr-xr-x 1 cristina Unix_Group+603 0 Jan 12 16:06 cristina >> drwxr-xr-x 1 croehrig Unix_Group+601 0 Jan 14 09:18 croehrig >> [...] >> tyto[10]% cat /etc/group >> croehrig:S-1-22-2-601:601: >> cristina:S-1-22-2-603:603: >> croehrig:S-1-5-21-1290748074-662758565-4273641972-1006:601: >> cristina:S-1-5-21-1290748074-662758565-4273641972-1008:603: > > Hmm, that's weird. I just tried this myself. First I created a stock > /etc/group file with all local and AD accounts. Next I changed > /etc/nsswitch.conf: > > - group: db > + group: files > > Exit/restart Cygwin. `ls -l' now prints > > -rw-r--r-- 1 corinna Unknown+Group 13342 Jan 17 10:46 //calimero/corinna/foo > > Now I add this line to /etc/group: > > mygroup:S-1-22-2-11125:11125: > > Exit/restart Cygwin. Now `ls -l' prints > > -rw-r--r-- 1 corinna mygroup 13342 Jan 17 10:46 //calimero/corinna/foo > > So it works, apparently. Did you set `group: db' in /etc/nsswitch.conf, > by any chance? That did the trick. My nsswitch.conf was the default (no lines; only comments), but everything works great now once I change it to group: files Seems odd that changing it back to 'group: files db' causes the groups to revert to the Unix_Group+601 form (as if the files weren't resolving it satisfactorily). Thanks for your help looking into this! [Update: cygsshd service no longer permits logins (closes connection immediately) when using 'group: files' (but it does work when running as /var/sbin/sshd -Dd). I'll have to get syslog-ng set up to try do debug this further...] > > > Corinna > > -- > Problem reports: https://cygwin.com/problems.html > FAQ: https://cygwin.com/faq/ > Documentation: https://cygwin.com/docs.html > Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
