Enumerating Unix users and groups from Windows

Hi,

when I want to know the user/group name <-> SID mapping of the UNIX user
and groups (The ones with SIDs S-1-22-1, S-1-22-2), I can call
LookupAccountSid and LookupAccountName just fine from Windows.

However, it doesn't seem to be possible to enumerate these accounts
using NetUserEnum/NetGroupEnum/NetLocalGroupEnum.

Nor can I ask for detailed user information with NetUserGetInfo.  The
call always returns Win32 error 2221.

Am I missing something obvious, or is it really only possible to use the
LookupAccountFOO calls for a direct account<->SID mapping?


Corinna

Corinna Vinschen wrote: Not sure if this has anything to do with it (my samba book is on my desk
at work :/ ), but do you have "winbind enum users = true" and "winbind
enum groups = true" set on the samba server?  I'm thinking that those
are only for idmap'ing and bulk lookups, but have you looked at those
settings?  Just a stab in the dark.

On Jul 23 06:56, Scott Lovenberg wrote:
Thanks for the reply.  No, I don't use any of these settings and winbind
isn't running.  I can enumerate and get info for any user and group
account which is based on the machine SID.  It's just not possible to
enumerate and get info from the users and groups using the default
"Unix User"/"Unix Group" mappings.


Corinna

On Wed, Jul 23, 2008 at 12:30:35PM +0200, Corinna Vinschen wrote:
> when I want to know the user/group name <-> SID mapping of the UNIX user
> and groups (The ones with SIDs S-1-22-1, S-1-22-2), I can call
> LookupAccountSid and LookupAccountName just fine from Windows.

S-1-22-x is just a workaround for accounts not in smbpasswd
or pdb_something. Right now we don't have a capability to
list all unix accounts. While it should be possible
RPC-wise, i.e. do a samr_opendomain on s-1-22-1, it is not
implemented yet, and I don't know if this would be available
via the Win32 NetUser API. I doubt that that API expects
more than one SAM on a server.

Volker

On Jul 23 18:25, Volker Lendecke wrote:
Thanks for the reply.  I was just puzzled since I had expected that
the UNIX user accounts are simply part of the same enumeration and
automatically returned by NetUserEnum if no filter is set and, say,
NetLocalGroupEnum.

It's also sot of weird that LookupAccountName works, but NetUserGetInfo
doesn't.


Corinna

On Wed, Jul 23, 2008 at 07:19:50PM +0200, Corinna Vinschen wrote: The problem is: We would have to assign RIDs to those
accounts. And mapping RIDs to Unix IDs and vice versa is not
exactly an easy job. S-1-22-x is the best approximation we
could find for the Windows file security editor.

> It's also sot of weird that LookupAccountName works, but NetUserGetInfo
> doesn't.

LsaLookupNames does expect multiple domains, because it has
to take care of trusted domains. NetUserInfo probably has to
do an OpenUser which can only happen against the defining
DC. Very likely it finds the RID via a SamrLookupNames (not
the LSA version), so it can not find the correct RID for the
S-1-22 domains. This would have to be verified by sniffs
though.

Volker

On Jul 23 23:42, Volker Lendecke wrote:
Oh, I'm not saying that you shouldn't use S-1-22-x.  It's a nice method
to map uids/gids to SIDs.  What I'm missing is that they are just not
enumerated *together* with the other SIDs.

For instance, when you call NetLocalGroupEnum on a Windows machine, you
get a list which contains accounts from different "domains" and with
different base SIDs, too.  Calling LookupAccountName afterwards shows
that clearly:

  NetLocalGroupEnum (MACHINE); LookupAccountName (Name)

  Name      RID   Domain  SID
  -----------------  ----   ------- -------------------------------
  Administrators      544   BUILTIN S-1-5-32-544
  Backup Operators    551   BUILTIN S-1-5-32-551
  Guests      546   BUILTIN S-1-5-32-546
  [...]
  Users      545   BUILTIN S-1-5-32-545
  HelpServicesGroup  1001   MACHINE S-1-5-21-12345-67890-76543-1001

So it enumerates BUILTIN accounts as well as MACHINE accounts.

Samba could return the unix groups as local groups as well:

  NetLocalGroupEnum (SAMBA)  LookupAccountName (Name)

  Name      RID   Domain      SID
  -----------------  ----   ----------  ---------------------------------
  root                  0   Unix Group  S-1-22-2-0
  bin 1   Unix Group  S-1-22-2-0

And for users:

  NetEnumUsers (SAMBA, info class 3); LookupAccountName (Name)

  Name      RID   Domain      SID
  -----------------  ----   ----------  ---------------------------------
  root                  0   Unix User   S-1-22-1-0
  bin 1   Unix User   S-1-22-1-0
  [...]
  corinna            2000   MACHINE     S-1-5-21-98765-43210-23489-2000

Given that I'm probably the first one to complain, it might be not
overly important, of course.  And I have a workaround.

My scenario is this:  So far Cygwin has to create /etc/passwd and
/etc/group files for the uid/gid <-> SID mapping.  To create these
files, you have two tools calls mkpasswd and mkgroup which create these
files using the NetEnum and LookupAccount functions.  To show the
user/group info on Samba shares correctly, both tools have to enumerate
accounts from Samba.  My workaround for the UNIX users and groups is to
loop over constructed S-1-22-x-y SIDs and calling LookupAccountSid with
them.  That works, but it's incredibly slow for ranges like 0-65535...


Corinna

On Thu, Jul 24, 2008 at 10:54:36AM +0200, Corinna Vinschen wrote: Well, not quite. Windows always has its SAM (the
S-1-5-21-12345-6... thingy), and S-1-5-32-xx. Samba does
this as well, so you should see the same output from a Samba
box. Those two domains are expected by the Win32 client API,
not more. We could try to experiment what Windows says when
we expand the samr_EnumDomains RPC call. What's the easiest
way to call the NetEnumUsers API call? Some vbs script? :-)

Volker

On Jul 25 16:28, Volker Lendecke wrote:
That's not what I see.  The NetLocalGroupEnum function returns with
success but with an empty group list when called on a Samba server.
This is with 3.0.30.

> Those two domains are expected by the Win32 client API,
> not more. We could try to experiment what Windows says when
> we expand the samr_EnumDomains RPC call. What's the easiest
> way to call the NetEnumUsers API call? Some vbs script? :-)

Sorry, but I'm Windows scripting illiterate.  What about just installing
Cygwin and building the below code with

  gcc -o nlge nlge.c -lnetapi32


Corinna

=== SNIP ===
#include <stdio.h>
#include <windows.h>
#include <lm.h>

char *
put_sid (PSID psid)
{
  static char s[256];
  char t[32];
  DWORD i;

  strcpy (s, "S-1-");
  sprintf (t, "%u", GetSidIdentifierAuthority (psid)->Value[5]);
  strcat (s, t);
  for (i = 0; i < *GetSidSubAuthorityCount (psid); ++i)
    {
      sprintf(t, "-%lu", *GetSidSubAuthority (psid, i));
      strcat (s, t);
    }
  return s;
}

void
enum_local_groups (char *server)
{
  WCHAR servername[256];
  LOCALGROUP_INFO_0 *buffer;
  DWORD entriesread = 0;
  DWORD totalentries = 0;
  DWORD resume_handle = 0;
  DWORD rc, i;

  if (!server)
    return;
  mbstowcs (servername, server, 256);
 
  do
    {
      rc = NetLocalGroupEnum (servername, 0, (void *) &buffer,
                              MAX_PREFERRED_LENGTH, &entriesread,
                              &totalentries, &resume_handle);
      if (rc != ERROR_MORE_DATA && rc != ERROR_SUCCESS)
        {
          fprintf (stderr, "NetLocalGroupEnum error %lu\n", rc);
          break;
        }
      for (i = 0; i < entriesread; i++)
      {
          WCHAR domain_name[256];
          DWORD domname_len = 256;
          char psid_buffer[40];
          PSID psid = (PSID) psid_buffer;
          DWORD sid_length = 40;
          SID_NAME_USE acc_type;

          if (!LookupAccountNameW (servername, buffer[i].lgrpi0_name, psid,
                                   &sid_length, domain_name, &domname_len,
                                   &acc_type))
            {
              fprintf (stderr, "LookupAccountNameW (%ls) error %lu\n",
                       buffer[i].lgrpi0_name, GetLastError ());
              continue;
            }
          else if (acc_type == SidTypeDomain)
            {
              WCHAR domname[512];

              wcscpy (domname, domain_name);
              wcscat (domname, L"\\");
              wcscat (domname, buffer[i].lgrpi0_name);
              sid_length = 40;
              domname_len = 256;
              if (!LookupAccountNameW (servername, domname,
                                       psid, &sid_length,
                                       domain_name, &domname_len,
                                       &acc_type))
                {
                  fprintf (stderr, "LookupAccountNameW (%ls) error %lu\n",
                           domname, GetLastError ());
                  continue;
                }
            }
          printf ("%ls\\%ls == %s\n", domain_name, buffer[i].lgrpi0_name,
                                      put_sid (psid));

        }
      NetApiBufferFree (buffer);
    }
  while (rc == ERROR_MORE_DATA);
}

int
main (int argc, char **argv)
{
  if (argc != 2)
    {
      fprintf (stderr, "usage: %s server\n", argv[0]);
      return 1;
    }
  enum_local_groups (argv[1]);
  return 0;
}

On Fri, Jul 25, 2008 at 05:11:16PM +0200, Corinna Vinschen wrote:
> That's not what I see.  The NetLocalGroupEnum function returns with
> success but with an empty group list when called on a Samba server.
> This is with 3.0.30.

You get BUILTIN groups when they are some. We store them in
our group mapping, administered with "net sam" or "net
groupmap":

BUILTIN\Administrators == S-1-5-32-544
BUILTIN\Users == S-1-5-32-545
DELPHIN\root == S-1-5-21-1698955576-602920669-2466945278-1000
DELPHIN\vl == S-1-5-21-1698955576-602920669-2466945278-3014
DELPHIN\vlendec == S-1-5-21-1698955576-602920669-2466945278-3000

What I've also tried here is to list all users with
NetUserEnum. This was against a Samba server where I have
extended the samr_EnumDomains call to not only return
BUILTIN and DELPHIN as domains, but also "Unix Users" and
"Unix Groups". But as expected, NetUserEnum did not even try
to look at those, although I've told it they are there. So
I'm afraid as long as a unix user does not have a SID inside
Samba's domain ("Unix Users" is just made to create a place
for those), there's no way to list them via that API.

If you're able to talk SAMR RPC directly, we could easily
extend our samr calls to also allow samr_OpenDomain on
S-1-22 and list unix users and groups there.

Volker

On Jul 26 10:12, Volker Lendecke wrote:
Oh well, too bad.  Thanks for testing!

> If you're able to talk SAMR RPC directly, we could easily
> extend our samr calls to also allow samr_OpenDomain on
> S-1-22 and list unix users and groups there.

No, I have only standard Windows calls available.  Never mind, I have a
workaround.  It's slow but it's something only called very seldom so it
doesn't matter much.


Thanks again,
Corinna

On Sat, Jul 26, 2008 at 01:19:30PM +0200, Corinna Vinschen wrote:
> No, I have only standard Windows calls available.  Never mind, I have a
> workaround.  It's slow but it's something only called very seldom so it
> doesn't matter much.

Hmmm. Isn't MS-RPC "standard" windows?

Volker

On Jul 26 13:34, Volker Lendecke wrote:
> On Sat, Jul 26, 2008 at 01:19:30PM +0200, Corinna Vinschen wrote:
> > No, I have only standard Windows calls available.  Never mind, I have a
> > workaround.  It's slow but it's something only called very seldom so it
> > doesn't matter much.
>
> Hmmm. Isn't MS-RPC "standard" windows?

Well, yes.  Unfortunately I have no experience with this stuff and it
sounds a lot of effort for something I have a working workaround for.
I hope that doesn't sound too lazy...


Corinna

On Sat, Jul 26, 2008 at 04:03:25PM +0200, Corinna Vinschen wrote:
> > > No, I have only standard Windows calls available.  Never mind, I have a
> > > workaround.  It's slow but it's something only called very seldom so it
> > > doesn't matter much.
> >
> > Hmmm. Isn't MS-RPC "standard" windows?
>
> Well, yes.  Unfortunately I have no experience with this stuff and it
> sounds a lot of effort for something I have a working workaround for.
> I hope that doesn't sound too lazy...

I haven't done any RPC programming under Windows so far
either, but right now I'm deep in getting the Samba server
side right. If you happen to dive into it, I'm sure we could
do a lot of stuff to get the posix behaviour in cygwin a lot
better.

Volker

On Jul 26 16:11, Volker Lendecke wrote:
Ok, I'll put that on my TODO list, but it might take some time.
Accessing the user lists is something only very seldom used, when the
user generates a new /etc/passwd of /etc/group file, so it's not *that*
high on my priority list.

What do you have in mind posix-wise?  In terms of accessing symlinks and
file information, I'd rather see something along the lines of the
Extended Attributes NFS access I described in my mail from 2008-06-23
because that would allow to get the same results on Samba and NFS shares
with only one piece of code.


Corinna

On Sun, Jul 27, 2008 at 12:40:32PM +0200, Corinna Vinschen wrote:
> Ok, I'll put that on my TODO list, but it might take some time.
> Accessing the user lists is something only very seldom used, when the
> user generates a new /etc/passwd of /etc/group file, so it's not *that*
> high on my priority list.

Ok.

> What do you have in mind posix-wise?  In terms of accessing symlinks and

One thing that might be transferred this way is the login
shell and home directory information.

> file information, I'd rather see something along the lines of the
> Extended Attributes NFS access I described in my mail from 2008-06-23
> because that would allow to get the same results on Samba and NFS shares
> with only one piece of code.

Yes, maybe that's the better way for file system access.

Volker

On Jul 27 17:14, Volker Lendecke wrote:
Indeed.  But the Unix User/Group entries are only used for a useful
ls(1) and stat(1) output.  It won't be possible to use these user
accounts for a login or something.  What I have on my TODO list for a
later release is AD LDAP access per RFC 2307 to get user and group
entries.  This would allow us to get rid of /etc/passwd and /etc/group
entirely in AD environments.

> > file information, I'd rather see something along the lines of the
> > Extended Attributes NFS access I described in my mail from 2008-06-23
> > because that would allow to get the same results on Samba and NFS shares
> > with only one piece of code.
>
> Yes, maybe that's the better way for file system access.

I'd be willing to help implementing it, but I guess we should discuss
this a bit more first.


Thanks,
Corinna

Hi Volker,

On Jul 28 10:37, Corinna Vinschen wrote:
> On Jul 27 17:14, Volker Lendecke wrote:
> > On Sun, Jul 27, 2008 at 12:40:32PM +0200, Corinna Vinschen wrote:
> > > Ok, I'll put that on my TODO list, but it might take some time.
> > > Accessing the user lists is something only very seldom used, when the
> > > user generates a new /etc/passwd of /etc/group file, so it's not *that*
> > > high on my priority list.
> >
> > Ok.

I'm not sure I can do that at all.  From what I see from the MSDN
documentation I need the Microsoft MIDL precompiler to get RPC function
calls working.  But Cygwin is built using gcc.  There's no OSS MIDL
compiler available.  Does anybody have docs or, even better, example
code how to do the client side without using MIDL?


Corinna