X-Recipient: archive-cygwin AT delorie DOT com X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 6F5FE385801F Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=house.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=house.org X-Virus-Scanned: Debian amavisd-new at emo01-pco.easydns.vpn Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: Help with standalone samba SID-uid mapping From: Chris Roehrig In-Reply-To: Date: Mon, 17 Jan 2022 11:53:21 -0800 Message-Id: <402C8A93-4EE5-445A-B12A-5BF85D1EEB72@house.org> References: <064846E1-8D6D-41D2-97D9-4C3793502CEE AT house DOT org> <7BA06F03-FCFA-492E-898F-F423F03E15F6 AT house DOT org> To: cygwin AT cygwin DOT com X-Mailer: Apple Mail (2.1499) X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com Sender: "Cygwin" On Mon Jan 17 2022, at 4:04 AM, Corinna Vinschen wrote: > On Jan 14 11:57, Chris Roehrig wrote: >> On Fri Jan 14 2022, at 2:04 AM, Corinna Vinschen wrote: >>> These look like your standard Windows SIDs, so they are your SIDs for >>> users cristina and croehrig on Windows. They should show up as such in >>> ls -l output, unless the SID is actuall wrong, e. g., they map to your >>> accounts on another machine or something like that. >> >> No those are the SIDs supplied by the Samba server (see below for my local Windows SIDs). Here they are directly on the Linux machine: >> housesrv[11]% smbcacls --numeric //housesrv/Users croehrig >> Enter WORKGROUP\croehrig's password: >> REVISION:1 >> CONTROL:0x9004 >> OWNER:S-1-5-21-751087815-2087572193-42305691-1000 >> GROUP:S-1-22-2-601 >> ACL:S-1-5-21-751087815-2087572193-42305691-1000:0/0x0/0x001f01ff >> ACL:S-1-22-2-601:0/0x0/0x001200a9 >> ACL:S-1-1-0:0/0x0/0x001200a9 >> >> (I think that Samba now uses a more complex IDMAP algorithm than when >> the Cygwin document above was written and now provides a full domain >> component to its SIDs.) > > That may be so, but in my installation, Samba reports the Unix User ID > as owner, i. e. > > $ icacls \\\\server\\corinna\\foo > \\server\corinna\foo S-1-22-1-500:(R,W,D,WDAC,WO) > S-1-22-2-11125:(R) > Everyone:(R) > > and that's with Samba 4.15.3. I'm doing the mapping via the AD > uidNumber and gidNumber fields. I'm using this setup for so long that I > don't remember if I ever saw a "normal", Windows-like SID for the user > returned by Samba. I never ran winbindd, up until Samba 4.15.3, which > was the first one forcing me to do so when using AD support. I'm no Samba expert, but maybe your /var/lib/samba/private/secrets.tdb file predates that IDMAP change...? What does 'net getdomainsid' say on your samba host? housesrv[2]% sudo net getdomainsid SID for local machine HOUSESRV is: S-1-5-21-751087815-2087572193-42305691 SID for domain WORKGROUP is: S-1-5-21-.......... > >> I just added those SIDs to /etc/passwd and /etc/groups (double >> entries now) and it now works for the user, but (oddly) not the group: >> >> tyto[6]% ls -l //housesrv/Users/ ## NB: this is a UNC path to the samba share >> total 0 >> drwxr-xr-x 1 cristina Unix_Group+603 0 Jan 12 16:06 cristina >> drwxr-xr-x 1 croehrig Unix_Group+601 0 Jan 14 09:18 croehrig >> [...] >> tyto[10]% cat /etc/group >> croehrig:S-1-22-2-601:601: >> cristina:S-1-22-2-603:603: >> croehrig:S-1-5-21-1290748074-662758565-4273641972-1006:601: >> cristina:S-1-5-21-1290748074-662758565-4273641972-1008:603: > > Hmm, that's weird. I just tried this myself. First I created a stock > /etc/group file with all local and AD accounts. Next I changed > /etc/nsswitch.conf: > > - group: db > + group: files > > Exit/restart Cygwin. `ls -l' now prints > > -rw-r--r-- 1 corinna Unknown+Group 13342 Jan 17 10:46 //calimero/corinna/foo > > Now I add this line to /etc/group: > > mygroup:S-1-22-2-11125:11125: > > Exit/restart Cygwin. Now `ls -l' prints > > -rw-r--r-- 1 corinna mygroup 13342 Jan 17 10:46 //calimero/corinna/foo > > So it works, apparently. Did you set `group: db' in /etc/nsswitch.conf, > by any chance? That did the trick. My nsswitch.conf was the default (no lines; only comments), but everything works great now once I change it to group: files Seems odd that changing it back to 'group: files db' causes the groups to revert to the Unix_Group+601 form (as if the files weren't resolving it satisfactorily). Thanks for your help looking into this! [Update: cygsshd service no longer permits logins (closes connection immediately) when using 'group: files' (but it does work when running as /var/sbin/sshd -Dd). I'll have to get syslog-ng set up to try do debug this further...] > > > Corinna > > -- > Problem reports: https://cygwin.com/problems.html > FAQ: https://cygwin.com/faq/ > Documentation: https://cygwin.com/docs.html > Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple