This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: 'id' groups listing conflicts w/'net group GROUPNAMEHERE /domain'


Thank you again Pierre.

I appreciate the increased rights ;->    It fixed up more than
just the net drive issue, a couple of my database admin commands that were
failing, now work again in an ssh session.

see comments below

--
regards,
Tom

On Thu 7/28/05 13:22 EDT "Pierre A. Humblet" wrote:
> Tom Rodman wrote:
> 
> > The 'id' command indicates user staffuser1 is in group ABC_NA-CTX-Notepad-A.
> > I use this account 'staffuser1', and have no idea what group ABC_NA-CTX-Notepad-A
> > is; I do not think user staffuser1 is really in that group, but you could
> > prove me wrong (how?).
> > 
> > This is causing problems in ssh sessions; Pierre A. Humblet supplied
> >  me with a workaround: (http://cygwin.com/ml/cygwin/2005-07/msg01287.html).
>     
> > How can we determine if user staffuser1 is or is not in group ABC_NA-CTX-Notepad-A?
> 
> id reports the groups that are in the (Windows) process token, using
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/gettokeninformation.asp
> Somehow Windows put it there.
> 
> The fact that net ... does not report it is consistent with your ssh troubles.
> When ssh asks Windows what groups you are part of, Windows does
> not include ABC_NA-CTX-Notepad-A 
> However when ssh asks Windows to log you in (giving your password),
> Windows does include that group in the token. The discrepancy causes
> ssh to create another token, leading to your access troubles on shared drives. 
> 
> There is a remote chance (I have never observed something like that) that
> the group is in the token but not "enabled", or that SE_GROUP_USE_FOR_DENY_ONLY
> is set, or some such, see the special flags in
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/token_groups.asp
> You may also get a clue by looking at the content of your /tmp/foo001

The users in /tmp/foo001 mean little to me.  I did recognize one person
I know out of the ~86 usernames, so maybe I'll talk to him about the
group's purpose and human "creator".

The domain we're in is large - (many thousands of users), and 'mkpasswd -d -l'
fails because it's so large, so I run 'mkpasswd -l', and then individual
'mkpasswd -d -u USERNAME' for our all the end users I support, and cat all these
to /etc/passwd in a daily cron job.

> 
> You can easily find out the details by creating a short program using
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/getcurrentprocess.asp
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/openprocesstoken.asp
> and gettokeninformation to list the groups in your token and understand what's going on.
> The group SID can be mapped to a name with
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/lookupaccountsid.asp
> Do you feel able to do that?

I have not had time to thoughly look at your links, but my hunch is
that I will need help writing the program(s) - and that I can get that
help here where I work.

I will keep the mailing list updated, but I expect it may take awhile;
meanwhile I'll use the workaround.

<snip>

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]