This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: 'id' groups listing conflicts w/'net group GROUPNAMEHERE /domain'


Tom Rodman wrote:

> The 'id' command indicates user staffuser1 is in group ABC_NA-CTX-Notepad-A.
> I use this account 'staffuser1', and have no idea what group ABC_NA-CTX-Notepad-A
> is; I do not think user staffuser1 is really in that group, but you could
> prove me wrong (how?).
> 
> This is causing problems in ssh sessions; Pierre A. Humblet supplied
>  me with a workaround: (http://cygwin.com/ml/cygwin/2005-07/msg01287.html).
    
> How can we determine if user staffuser1 is or is not in group ABC_NA-CTX-Notepad-A?

id reports the groups that are in the (Windows) process token, using
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/gettokeninformation.asp
Somehow Windows put it there.

The fact that net ... does not report it is consistent with your ssh troubles.
When ssh asks Windows what groups you are part of, Windows does
not include ABC_NA-CTX-Notepad-A 
However when ssh asks Windows to log you in (giving your password),
Windows does include that group in the token. The discrepancy causes
ssh to create another token, leading to your access troubles on shared drives. 

There is a remote chance (I have never observed something like that) that
the group is in the token but not "enabled", or that SE_GROUP_USE_FOR_DENY_ONLY
is set, or some such, see the special flags in
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/token_groups.asp
You may also get a clue by looking at the content of your /tmp/foo001

You can easily find out the details by creating a short program using
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/getcurrentprocess.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/openprocesstoken.asp
and gettokeninformation to list the groups in your token and understand what's going on.
The group SID can be mapped to a name with
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/lookupaccountsid.asp
Do you feel able to do that?

Pierre




--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]