ntsec: What am I doing wrong?

Corinna Vinschen corinna@vinschen.de
Fri Nov 26 03:55:00 GMT 1999

"Charles S. Wilson" wrote:
> mkpasswd -l -g > passwd
> mkgroup -l > group
> I'm using NT, so in the "My Computer"->Properties->Environment pane, I
> set CYGWIN=binmode tty ntea ntsec
> [...]
> Now, I start bash, and do an 'ls -l'
> total 17
> -rw-rw-rw-   1 user     group         871 May 19  1999 bashrc
> [...]
> -rw-rw-rw-   1 user     group        9828 Dec  1  1998 termcap
> 'id' reports:
> uid=0(user) gid=0(group)

Hi Charles,

do you work on a FAT partition? FAT isn't able to handle NT security
settings. On FAT all entries are simulated to be owned by the current

If you use NTFS, you should make your sample real: Send the output
of `mkpasswd -l' `mkgroup -l' and `ls -ln' of an NTFS dir.

In the latest snapshots `ntsec' has additional features which are
not visible on the first glance. You are able to use them if you
call `mkpasswd' and `mkgroup' from the snapshots. Both tools now
additionally write the SIDs into the passwd and group file.
Unfortunately, I still haven't updated the ntsec documentation
(documentation is WORK ;-)) so I post the brief description which
I have given in the developers mailing list. Hope, this helps.
Additional questions will be gladly answered (please send them
to the list).

============ SNIP ==============

I have patched ntsec so, that SIDs are used, that were previously
saved in /etc/passwd and /etc/group. This has following advantages:

- Correct working ntsec in domain environments.

- Non-login accounts (users _and_ groups) may get another name in
  /etc/passwd and /etc/group files than their NT account name.
  The new name is transparently used by applications (so chown,
  chgrp, ls -l, etc. use them now),
  instead of

  No problem if running in console window,
  BUT: If you need the account to login via telnet, ssh or similar
  the login name _must_ be the NT user name.

- Cygwin UIDs and GIDs are now not necessarily the RID part of the
  instead of
- As with U*X systems, UIDs and GIDs numbering scheme now don't
  influence each other, so it's possible to have same Id's for a
  user and a group,
        root::0:0:...           # former 'administrator::500:544:...'

        root::0:                # former 'administrators::544:'

Disadvantages, if you like to use the new features:
- /etc/passwd: The pw_gecos field has to contain a SID as the last
  element of the comma separated list.
- /etc/group: The gr_passwd (former unused) has to contain a SID.

If no SIDs are found in /etc/passwd and /etc/group, ntsec acts like
the previous version.

The SIDs are saved in standard WinNT notation (S-1-5-32-...)
the utilities mkpasswd and mkgroup are patched, to support the new

- mkpasswd and mkgroup generate SIDs by default. This behaviour may
  be switched off by the new commandline option `-s' or `--no-sids'.

Moreover, mkpasswd generates the home dir path with the function
cygwin_conv_to_posix_path(), so mount points are used now. This
behaviour may be changed to `/cygdrive/<Driveletter>' by using the
commandline option `-m' or `--no-mount'.
============ SNAP ==============


Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

More information about the Cygwin mailing list