Free Downloads, Community Forum,
FAQs and Developer Resources


Make /Tools Your Home | Link to us

Today's posts | Posts since last visit | Most Active Topics

All Forums Register Login Search Subscriptions My Profile Inbox
Tool Warehouse FAQs Resources Help Member List Address Book Logout

SUA and Active Directory Lookup

 
Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [SFU / Interix / SUA Technology] >> Windows Server 2003 R2 SUA >> SUA and Active Directory Lookup Page: [1]
Login
Message << Older Topic   Newer Topic >>
SUA and Active Directory Lookup - May 18, '06, 8:29:29 PM   
sirirot

 

Posts: 7
Joined: May 18, '06,
Status: offline
I'm using Windows 2003 R2 with SUA. I have a problem with GID when I create a new file under a shell. The file will have +SYSTEM as a group of the file instead of GID of the creator. The UID of the file is matched the creator. I only have problem with GID. Also it is very slow when I use the "id" command. The result of the "id" command is also strange; it is not match the information in Unix Attribute tab in the user property in "Active Directory User and Computer". I'm not sure if the problem is because I didn't use Username Mapping Service. I guess I don't need that because R2 can support Active Directory Lookup and it should work the same way username mapping service does. Anyone have any idea what's wrong with my system?
Post #: 1
RE: SUA and Active Directory Lookup - May 19, '06, 12:00:25 AM   
Rodney

 

Posts: 3695
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
I can provide some information, but not necessarily the answer (at least right now).
SUA is Interix version 5.2 (derived from 3.5 etc.).

i) The Unix Attribute tab has no bearing on Interix (aka SUA).
ii) The groups for a user are as listed in the output from id. The list is
generated by several recursive calls since groups can be members of other groups can be...
The key one in the id output is "gid=...". This primary group is what will
be set on a file unless you are Administrator (then it's "Administrators"; goofy
MS OS rules).
iii) Username Mapping (UNM) has no bearing on this -- only on NFS.

So the questions back then are: which user is this happening to? What's its "gid=..." ?

(in reply to sirirot)
Post #: 2
RE: SUA and Active Directory Lookup - May 19, '06, 4:29:16 PM   
sirirot

 

Posts: 7
Joined: May 18, '06,
Status: offline
I try to give as much information I can. I also have some more questions about this. For anyone who has any idea for any questions below please help. I hope this will also help other members who face similar problems too. I’ll keep checking this topic and see if someone needs some more information. Thank you so much


1. Answer to Rodney’s question: which user is this happening to? What's its "gid=..." ?
This is happening to all users (no matter if the user is a member of administrators group or not) and all computers that are running SUA. The gid (from “id” command) is gid=1050184(unix). The group named “unix” is the the one I created myself and also set the “primary group/gid” under “Unix Attribute”in “AD users and computers” of the user(name: schoedcx) to “unix”. The group id of the “unix” group that I set under “Unix Attributes” is 55556. Please note that it is different than the result from SUA. Everytime I create a file using “schoedcx” user account, the group ownership of a file or folder is “+SYSTEM” even my gid is “unix”. Please see the result of the command at the end of this question.
Note: Files or folders that are created by windows explorer show correct ownership and group ownership.

Refer to what Rodney replied that the group ownership will be “Administrators” if the user is a member of administrator group because it is a Microsoft OS rules. I did change the local policy setting on the system not to follow that rule. It is under Local Security Setting>Local Policies> Security Options > System objects: Default owner for objects created by member of the Administrator group. I changed it from “Administrators group” (which is the default to Windows2003) to “Object creator”. I’m not sure if the problem of showing “+SYSTEM” as a group owner of a file, is caused by this security setting change or not. However I need to have the owner of the file as the one who create the file.

I also tried to reinstall SUA and SDK two or three times and the problem still there. Please help me fix the problem.

Here is the result from the commands that I run:

-----------------------------------------------------------------------------
$ pwd
/dev/fs
$ ls -l
ls: A: Input/output error
ls: F: Input/output error
total 0
drwxrwxr-x+ 1 +Administrators +SYSTEM 0 May 18 14:02 C
drwxr-xr-x+ 1 +Administrators +SYSTEM 0 May 19 13:19 D
$ ls -ln
ls: A: Input/output error
ls: F: Input/output error
total 0
drwxrwxr-x+ 1 131616 66834 0 May 18 14:02 C
drwxr-xr-x+ 1 131616 66834 0 May 19 13:19 D
$ cd D
$ ls
RECYCLER System Volume Information
$ touch testfile
$ mkdir testfolder
$ ls -l
total 0
drwx------+ 1 +Administrators Domain Users 0 May 16 14:45 RECYCLER
d---rwx--- 1 +Administrators +SYSTEM 0 May 5 12:34 System Volume Inform
ation
-rw-r--r-- 1 schoedcx +SYSTEM 0 May 19 13:20 testfile
drwxr-xr-x 1 schoedcx +SYSTEM 0 May 19 13:20 testfolder
$ ls -ln
total 0
drwx------+ 1 131616 1049089 0 May 16 14:45 RECYCLER
d---rwx--- 1 131616 66834 0 May 5 12:34 System Volume Inform
ation
-rw-r--r-- 1 1049754 66834 0 May 19 13:20 testfile
drwxr-xr-x 1 1049754 66834 0 May 19 13:20 testfolder
$ id
uid=1049754(schoedcx) gid=1050184(unix) groups=1050184(unix), 65792(+Everyone),
131616(+Administrators), 131617(+Users), 131627(+Remote Desktop Users), 66830(+R
EMOTE INTERACTIVE LOGON), 66820(+INTERACTIVE), 66827(+Authenticated Users), 6683
1(+This Organization), 4095(CurrentSession), 66048(+LOCAL), 1049096(Group Policy
Creator Owners), 1049089(Domain Users), 1049088(Domain Admins), 1049094(Schema
Admins), 1049095(Enterprise Admins), 1049777(IPLORAdmins@TANTRUM), 2147485351(sc
hoedcx)
$
-----------------------------------------------------------------------------


2. As a result of the problem showing +SYSTEM as a group membership in question#1, I faced a problem when I try to share a folder that is created under SUA, using “Microsoft Services for NFS”. The problem is, at the GID part under “NFS Attributes” of the folder that I mounted using “Microsoft NFS client”, it shows “-2” (a.k.a unknown or none), because the NFS server doesn’t know what “+SYSTEM” group is, and then it use “-2”. I guess the problem caused by the problem in question1, and if I can fix that problem in question1, this problem should also be fixed. Any suggestion?


3. Refer to what Rodney replied that “Username Mapping (UNM) has no bearing on this -- only on NFS”, I found information in the windows event log showing:
-------------------------------------------------------------------------------------
Event
Date: 5/19/2006 Source: SUA
Time: 1:00:49PM Category: None
Type: Information EventID: 1012
User: N/A
Comptuer: DMZ

Description:
Connected to Mapping Server at host 127.0.0.1 (127.0.0.1)
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp
------------------------------------------------------------------------------------
Note: this information event was created when I ran a Korn shell.

Is it trying to connect to Username Mapping? Or it is something different? (Mapping Server / Username Mapping) Why Rodney said UNM has no bearing on this?


4. If SUA (Interix 5.2) does not use “Username Mapping” or “Unix Attribute”, how the SUA know what is the uid and gid for each users?


5. For user’s gid, which one the SUA will use as a primary gid if a user is a member of many groups? Under “Member of” tab in a user property in “AD Users and Computers”, there is a button named “Set Primary Group”, will SUA use that as the gid of the user?


6. I installed SUA (Interix 5.2) to many of Win2k3R2 systems that joined a domain and the domain controllers are running “Identity Management of UNIX”, all UNIX attributes are set for users. I use the same domain user account login to each systems and I run “id” command. The result of “id” command that I ran on different systems have different uid and gid but the translated name and group lists are correct. Why? Is this normal? Will SUA treat different uid in different systems (which have the correct name transition to the correct user that loged in), the same user and have the same permissions?


7. Why it is so slow when I use the “id” command and “ls –l” command (compared to other Interix version that I’ve used before)? I guess it is because the SUA trying to translate id number to name. There might be a problem somewhere so, it is slow. Do you know how can I fix that?


8. Sometime when I run a shell, the screen froze and there is no prompt for me. Is this normal how to fix? What I need to check? I also tried to reinstall SUA and SDK two or three times and the problem still there.


9. I’ve read somewhere in the forum here that somebody need to call Microsoft support guy to get a special patch to fix some problem. What is that problem? Do I still need that patch with this version of SUA (Interix version 5.2)?
Note: I download and use the latest version of SUA-SDK from Microsoft website; the file release date is 1/9/2006


10. Do you guys know if the new version of Interix will use information in “Username Mapping” or “Unix Attribute” as GID/UID? Or they can not do that for some reason? Why?

(in reply to Rodney)
Post #: 3
RE: SUA and Active Directory Lookup - May 19, '06, 6:11:44 PM   
sirirot

 

Posts: 7
Joined: May 18, '06,
Status: offline
Additional information for question1:
I just found out that the group ownership of the file will be inherited from the parent folder that’s why I got “+SYSTEM” as a group ownership. I sill don’t understand why the group ownership of the file is not from gid of the user who create the file.

(in reply to sirirot)
Post #: 4
RE: SUA and Active Directory Lookup - May 20, '06, 2:32:13 AM   
Rodney

 

Posts: 3695
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
I'll go with the questions in groups:

10) and 4)
The UID's and GID's used with Interix are derived from the SID's.
And the UID/GID can be mapped back to a SID later (even with multiple domains).
SID's are used throughout the system (process token, disk ACL's, etc.).
This is why it has nothing to do with UNM. UNM can have the same UID/GID
used multiple times for different users for different machines (potentially).
It'd be a real rats' nest to rely on it. Besides, you still need to map to SID's.
And, no, you do not want a look up table. You get 30,000 users in a domain...

5) When you do an id the primary group is the one listed with "gid=".

9) This is something that I don't understand the policy about and most anyone hanging
around here doesn't either (there have been a few rants about it ).
Officially to get any Interix hot fix you have to go through PSS (MS support).
You won't get charged on your credit card for it at the end of it.
The download for SFU-3.5 was updated once for the W2K3-SP1 hot fix. There have
been several hot fixes for Interix, and a few for NFS too, since then. But
the download hasn't been updated for it. I know I've asked MS about it. I know
PSS has asked about it.

8) related to 7

7) When ever a stat() API call gets done for a file the domain controller (e.g. AD) must
be contacted to get reliable information about the UID and GID for the file. An "ls -l"
makes many stat() calls. When a shell is starting there are several stat() calls as the
security of various login scripts are checked, etc. Csh/Tcsh does several more than
sh/ksh because it generates a hash-cache of files that are executables the user can
run (this pays off later because the hash-cache is consulted rather than, as with ksh,
the PATH has to be checked and stat()'d then. ls does cache information too, but it
can't do that until it actually gets the information.
Anyway, if your domain controller is slow to respond this is the reason for a delay as the
shell or ls starts.

6) If the same user in the same domain logs in to machine A and machine B, and both A & B
are in this domain with neither A nor B being a domain controller, then the uid should be the same.
The domain groups should have the same gid's and the built-in groups the same gid's; users and groups
local to a machine (in that machine's "personal" domain) will vary.
The calculation of the uid or gid when you are on a domain controller will produce a "local
machine" equivalent result. But anything done will be translated to SID's for storage, etc.

3) If an NFS disk is mounted then UNM will be consulted for the information to send to the NFS server.
UNM only has bearing with NFS. UNM is not used for file or user attributes.

2) UNM is what is to be used for an NFS client to fill in the id's of the requets being sent to
the NFS server. In your example, +SYSTEM is set in UNM to a group gid so the default -2 is used.
If you map +SYSTEM in UNM to gid 100 then taht is what will be sent. Similar for users.

1) You answered The file system driver is king of its realm and plays by its rules.
That's what it was set to do. The other reference you make WRT local security policy is
what will be applied for other circumstances.

(in reply to sirirot)
Post #: 5
RE: SUA and Active Directory Lookup - May 22, '06, 6:09:21 PM   
sirirot

 

Posts: 7
Joined: May 18, '06,
Status: offline
Thank you for your answer,

For Question 6.
Yes if the systems A&B are not DC, UID and GID will be the same. But I'm wondering why AT the system A and B, they both have the same UID/GID. Will users UID/GID at any Domain Controllers in the same domain have the same UID/GID but different than other systems that are not DC? What about users login cross domain (two domains are trusted), will it follow the same rule (same uid/gid for non-dc)? Is the rule applying forest wide?

For Question 7.
I did some experiment and found out that, only users that migrated from other domain are slow when using "id" command. I haven’t seen any hotfix that related to this problem. Do you know which hotfix I should use? Or how to fix?

Thank you again

(in reply to Rodney)
Post #: 6
RE: SUA and Active Directory Lookup - May 22, '06, 6:10:27 PM   
sirirot

 

Posts: 7
Joined: May 18, '06,
Status: offline
The users that were migrated have SID history. Is that causing the slowness too?

(in reply to sirirot)
Post #: 7
RE: SUA and Active Directory Lookup - May 22, '06, 9:27:41 PM   
Rodney

 

Posts: 3695
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
For A and B of same domain where A & B are not DC the SID is not for the local machine
and the calculation/translation to uid/gid is identical.
A PDC is not the same as a BDC; a BDC should be like A or B.
A cross-domain trust has domain X trust domain Y. The PDC of X will calculate uid/gid's
from the Y domain as A (not of the DC of Y). If A, a non-DC, of X will calculate uid/gid's
by the same method for SID's of Y as of X, but part of the "base" will be different to
separate the domains (so no collision on id's on the machine).

I'm unsure what you mean by "have SID history".
If the SID is unchanged then the base of the SID will still indicate a different domain.
This could cause a search by the LSA, which would be slow (particularly if that
domain's DC isn't around anymore). There's a function uidtontsid() that will
translate a UID to the full SID as an ASCII string. It makes it easy to see what is
the domain base in the SID. It might be a case for MS support since they'll have the
info about domain migrations in more detail.

(in reply to sirirot)
Post #: 8
RE: SUA and Active Directory Lookup - May 23, '06, 11:52:09 AM   
sirirot

 

Posts: 7
Joined: May 18, '06,
Status: offline
I have two domains, new one and old one. "Users in new domain have SID history" means that there are two SID associate with each user that was migrated from the old domain. One of the SID is newly created when the user were migrated. The SID History is the old SID from old domain.

In this case, there are two SID, will system A, B need to talk with old domain when translating UID<->SID?

By the way, what is LSA? Where is it reside, in case of two domain are trusted?

Do you know if there is any hotfix for this new version of SUA (Interix v5.2)? I searched Ms. KB, and I just found some for SFU3.5, not for this version.

Thank you.

(in reply to Rodney)
Post #: 9
RE: SUA and Active Directory Lookup - May 23, '06, 12:39:09 PM   
Rodney

 

Posts: 3695
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
No hotfixes released for 5.2 at this time.

The LSA is the Local Security Authority. It runs as its own subsystem (the LSASS).
It's responsible for handling local requests from CSRSS (Win32) and Interix (PSXSS)
with regards to user and group information. If it doesn't have the information then
it is the one that reaches out to find the DC. It's also what creates process tokens.
A trust relationship is setup the same way as with Kerberos since AD is using Kerberos.

> In this case, there are two SID, will system A, B need to talk with old domain when translating UID<->SID?

All of the requests for information go through the LSA.
So if the LSA has some special knowledge to map old-SID to new-SID the old domain shouldn't
be needed provided the mapping is complete. But, I think this is unlikely based on what I know.
Generally speaking the "history" is for the new user to get security access equivalent to
what they used to have on objects with the old-SID. The only reason a process is going to ask
the LSA for a lookup on the old-SID is if it finds one. The authority for the old-SID is the old DC.
Looking around through a bunch of the doumentation from MS it seems pretty clear that the history
thing is a temporary state during migration. It's to allow for the transition of users from one
domain to another while the account is active. Once the migration is complete then a tool to change
all of the old-SID's to the new-SID's should be applied to all of the objects (files, etc.).
Then the SID history can be removed (since nothing depends on it anymore) which apparently
help improve security as well.

(in reply to sirirot)
Post #: 10
Page:   [1]
All Forums >> [SFU / Interix / SUA Technology] >> Windows Server 2003 R2 SUA >> SUA and Active Directory Lookup Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Search All Forums -

Advanced search


SPONSORS



Forum Software © ASPPlayground.NET Advanced Edition 2.5 ANSI

0.063