This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: File owner set to Unknown+User on cygwin 1.7.35 via samba 3.6.6 on debian


> On Apr 22 20:50, random user wrote:
>> >> On 4/22/2015 7:21 PM, John Orr wrote: ...
>> 
>> Would I be right in guessing that your samba server is doing
>> authentication using a /etc/samba/smbpasswd file?
>> 
>> If that is the case, the output you show matches my experience.  Files
>> with owner matching the logged in user in such a case one end up with
>> an owner SID like the
>> 
>>   S-1-5-21-2908258922-1501660359-1356206134-1000
>> 
>> seen in your output, as if it is a local user defined only by the
>> samba server itself.  (It seems tied to neither my Unix userid nor my
>> Windows Domain SID, it just seems as if the samba server pretends to
>> be a local Windows OS with its own set of users.)
>> 
>> For users and groups not defined in smbpasswd (or maybe it's for all
>> except for file owner matching the logged in user), the SIDs do show
>> up in the S-1-5-22- Unix_User+/Unix_Group+ form.
>> 
>> I'll leave it at that; hopefully more capable hands can help you
>> choose how to then deal with these SIDs.
> 
> That's a very good point and sounds like a very likely cause for this
> problem.  The fact that the GUI shows "JOHNWL\john" seems like a very
> good hint.

Thanks very much, er, Random, for that tip - great call.

> Here's the problem:  Cygwin's automatism can't resolve this SID,
> and the methods implemented in the account handling can't help with
> that.
> 
> The reason is this:  When you ask the Windows GUI for the ACL of a file,
> it knows whom to ask for the SIDs.  It's either a SID it knows anyway
> (builtin, SAM, AD), or it asks the underlying server of the share.
> 
> However, the account handling in Cygwin is decoupled from the code
> fetching file ACLs.  It ony generically cares for passwd and group
> entries, and it only knows to ask SAM or AD for the SID.  It has no
> connection to the server serving the share.  This *might* be possible,
> but code for that just isn't there.

Thanks for the explanation.  I'm fairly new to Samba, but I googled "samba setup" 
and three of the first four results talked about using smbpasswd - so I'd presume
this would be a reasonably common situation (unless winbind is used?).
I'm rather curious what conditions cause Samba to return S-1-22-1-1000 - the 
ntsec help says "unmapped accounts" get that.  I presume there's another authentication
method I could be using, besides smbpasswd, that allows authentication without
an account mapping?

> What you can do to workaround this problem is either to change Samba
> so as not to return the above SID for the user with UID 1000, but the
> default SID S-1-22-1-1000.

I'm not sure how to do this.  I tried
#: john@johnwl:~ ; sudo pdbedit -u john -U S-1-22-1-1000
tdb_update_sam: struct samu (john) with no RID!
Unable to modify entry!

but that didn't work. I've not found good help on this, but I think perhaps 
the -U argument, whose help text is "set user SID or RID" is really only expecting
an RID.  I tried instead setting my samba machine SID to match my cygwin machine SID, with

sudo net setlocalsid S-1-5-21-775725812-2182925691-3402384268

and that worked.  Since my samba RID is still 1000, (and after restarting smbd),
that did indeed produce 

#: john@johndesktop:~ ; ls -l /cygdrive/l/.bashrc
-rw-r--r-- 1 john Unix_Group+1000 3833 Aug 22  2013 /cygdrive/l/.bashrc

i.e. the user is now mapping successfully. The only problem is that in our organization,
without a domain, every user will have a different machine SID for their windows 
machine, and the samba setup on common servers can only pick one of those.  Just in case, 
I tried setting the local samba SID to maybe force Samba to return S-1-22-1-1000
for me:
#: john@johnwl:~ ; sudo net setlocalsid S-1-22-1
Usage: net setlocalsid S-1-5-21-x-y-z

Alas, it saw through my cunning plan.

Any other suggestions on how to get Samba to return S-1-22-1-1000?

> Or, in Cygwin, you just keep a passwd file
> with two entries around.  These entries should be equivalent to the
> output of `getent passwd $USER', so just copy/paste it twice.  Then
> tweak the SID of the second entry to match the above SID.  The end result
> should be:
> 
>  john:*:197608:197121:U-JOHNDESKTOP\john,S-1-5-21-775725812-2182925691-3402384268-1000:/home/john:/bin/bash
>  john:*:197608:197121:U-JOHNWL\john,S-1-5-21-2908258922-1501660359-1356206134-1000:/home/john:/bin/bash

Yep, that may indeed be the best option, with an entry for each samba server I connect to,
though I can't help feeling that the S-1-22-1-1000 option is the cleaner one...

Anyway, doing the above to the passwd file does work
#: john@johndesktop:~ ; ls -l /cygdrive/l/.bashrc
-rw-r--r-- 1 john Unix_Group+1000 3833 Aug 22  2013 /cygdrive/l/.bashrc

Now I just need to get the group right.  The ntsec help says to just set the comment on
the Users group to <cygwin unix="1000"/> (and restart all cygwin processes). I did this, 
but it didn't seem to help - maybe because 'id' says my group is None, or because 
net localgroup Users 
doesn't mention me?
Since 
net localgroup Administrators does mention me, I tried setting the comment on that group
instead - but no luck.  Gah - frustrating stuff...

Any tips for the best way to fix my group mapping, given all this?
Maybe more entries in /etc/group, or changing out of None in my /etc/passwd entries?

Thank you again - we're almost there! (though the ntsec help might need some updating perhaps...)

John

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]