FAQ SearchLogin
Tuxera Home
View unanswered posts | View active topics It is currently Wed Jun 16, 2021 16:08



Post new topic Reply to topic  [ 10 posts ] 
Ownership, Permissions and User Mapping woes 
Author Message

Joined: Sat Aug 11, 2012 12:51
Posts: 2
Post Re: Ownership, Permissions and User Mapping woes
I have tried following the guide on user mapping, but it isn't working for me as I expect.

In Windows I have created two users (...-1000, ...-1004) and a group (...-1006). The two users are both members of the new group, as well as the default users group; and the first user is also a local admin.
In Windows I have explicitly changed the owner of everything to be the first user.
In Windows I have set the following Allow permissions on everything:
Code:
Authenticated Users: Modify
System: Full
Local Admins: Full
Local Users: Read & Execute
My new group: Full

Everything is set to inherit.

I have created a UserMapping file:
Code:
1000::S-1-5-21-2673249586-1243819082-2635891356-1000
1001::S-1-5-21-2673249586-1243819082-2635891356-1004
:users:S-1-5-21-2673249586-1243819082-2635891356-1006
:users:S-1-5-21-2673249586-1243819082-2635891356-513
::S-1-5-21-2673249586-1243819082-2635891356-10000


I am using the following fstab options:
Code:
inherit,windows_names,locale=en_GB.UTF-8


But the mounted partition has permissions and owners:
Code:
dr-xr-xr-x 1 root root
-r-xr-xr-x 1 root root


secaudit -v reports:
Code:
secaudit 1.3.17 : NTFS security data auditing
Directory /windows/E/data/
        000000  01000484 98000000 b4000000 00000000
        000010  14000000 02008400 05000000 00131400
        000020  bf011300 01010000 00000005 0b000000
        000030  00131400 ff011f00 01010000 00000005
        000040  12000000 00131800 ff011f00 01020000
        000050  00000005 20000000 20020000 00131800
        000060  a9001200 01020000 00000005 20000000
        000070  21020000 00132400 ff011f00 01050000
        000080  00000005 15000000 328d569f 4a2c234a
        000090  9c821c9d ee030000 01050000 00000005
        0000a0  15000000 328d569f 4a2c234a 9c821c9d
        0000b0  e8030000 01020000 00000005 20000000
        0000c0  20020000
Computed hash : 0xcef20d5f
Windows attrib : 0x30
== Linux owner is different from Windows owner
Interpreted Unix owner 0, group 0, mode 0555
No errors were found


Why aren't my files showing up with permissions and owners:
Code:
drwxrwxr-x 1 1000 users
-rw-rw-r-- 1 1000 users


secaudit -vv suggests that ownership is:
Code:
User SID
    Local user-1000 SID
    hex S-1-5-15-9f568d32-4a232c4a-9d1c829c-3e8
    dec S-1-5-21-2673249586-1243819082-2635891356-1000
Group SID
    Local admins SID
    hex S-1-5-20-220
    dec S-1-5-32-544

Is my problem that the Group SID is that of Local admins? I have not found a way of setting (or viewing) this group SID field natively in Windows!

If I chmod 1000:users a file, the Group SID changes:
Code:
User SID
    Local user-1000 SID
    hex S-1-5-15-9f568d32-4a232c4a-9d1c829c-3e8
    dec S-1-5-21-2673249586-1243819082-2635891356-1000
Group SID
    Local user-1006 SID
    hex S-1-5-15-9f568d32-4a232c4a-9d1c829c-3ee
    dec S-1-5-21-2673249586-1243819082-2635891356-1006

as expected. But much more of the DACL changes:
Code:
        000000  01000490 94000000 b0000000 00000000
        000010  14000000 02008000 05000000 01091400
        000020  20000000 01010000 00000001 00000000
        000030  00032400 b9011f00 01050000 00000005
        000040  15000000 328d569f 4a2c234a 9c821c9d
        000050  e8030000 00031400 a9001200 01010000
        000060  00000001 00000000 00031800 bf011f00
        000070  01020000 00000005 20000000 20020000
        000080  00031400 bf011f00 01010000 00000005
        000090  12000000 01050000 00000005 15000000
        0000a0  328d569f 4a2c234a 9c821c9d e8030000
        0000b0  01050000 00000005 15000000 328d569f
        0000c0  4a2c234a 9c821c9d ee030000
Computed hash : 0x4308f562

The permissions and owner are now:
Code:
dr-xr-xr-x 1 1000  users

And a chmod ug+w then gives:
Code:
drwxrwxr-x 1 ian  users

And further changes to the DACL:
Code:
        000000  01000490 b8000000 d4000000 00000000
        000010  14000000 0200a400 06000000 01091400
        000020  20000000 01010000 00000001 00000000
        000030  00032400 ff011f00 01050000 00000005
        000040  15000000 328d569f 4a2c234a 9c821c9d
        000050  e8030000 00032400 ff011200 01050000
        000060  00000005 15000000 328d569f 4a2c234a
        000070  9c821c9d ee030000 00031400 a9001200
        000080  01010000 00000001 00000000 00031800
        000090  bf011f00 01020000 00000005 20000000
        0000a0  20020000 00031400 bf011f00 01010000
        0000b0  00000005 12000000 01050000 00000005
        0000c0  15000000 328d569f 4a2c234a 9c821c9d
        0000d0  e8030000 01050000 00000005 15000000
        0000e0  328d569f 4a2c234a 9c821c9d ee030000
Computed hash : 0x3885f1ff


Help, please!

Ian


Sat Aug 11, 2012 14:08
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Ownership, Permissions and User Mapping woes
Hi,
Quote:
In Windows I have created two users (...-1000, ...-1004) and a group (...-1006). The two users are both members of the new group, as well as the default users group;

So each user is a member of two groups : the default one (-513) and another one (-1006). You have to have the same organization in Linux.
Code:
:users:S-1-5-21-2673249586-1243819082-2635891356-1006
:users:S-1-5-21-2673249586-1243819082-2635891356-513

This is wrong, the group users has two meanings. You must match the Windows organization, have two different groups, and assign the default group of both users to the default Windows group (-513). The secondary group of both users should be mapped to -1006.
Code:
Suggestion :
Linux user 1000 in default group 1006 and supplementary group 1000
Linux user 1005 in default group 1006 and supplementary group 1005
And do similarly in Windows : both users in standard group -513, and different supplementary groups : -1006 and another one to be created.

*edit* Please read 1001 instead of 1005 above....

Note : do you really need two groups ? I would get rid of -1006 and make "users" be the default group of both users, and get rid of default groups 1000 and 1005 in Linux.
Quote:
But the mounted partition has permissions and owners:
dr-xr-xr-x 1 root root
-r-xr-xr-x 1 root root

This is probably the default state, the mountpoint does not matter much, except for creating the first level directories (which root has to create and then chown to the desired user). Do not change the ownership and permissions of root directory itself unless really needed.
Quote:
Why aren't my files showing up with permissions and owners:
drwxrwxr-x 1 1000 users
-rw-rw-r-- 1 1000 users

This looks correct to me (assuming the uid of the user who created the files is 1000, and his/her group is users, as your user mapping file suggests).
Quote:
Is my problem that the Group SID is that of Local admins?

Yes, this means that the Linux user who created this file is not defined in the user mapping file, so the root group was used instead.
Quote:
And a chmod ug+w then gives:
drwxrwxr-x 1 ian users

This is correct (provided user ian has the uid 1000 of course...)

Quote:
Help, please!


Please create on Windows a file by each user, and post the output of "secaudit -v" (hexadecimal data) for each of them. Also log in into each Linux user account and post the output of command "id", then tell which Linux user and group should map which Windows user and group.

Regards

Jean-Pierre


Sat Aug 11, 2012 17:46
Profile

Joined: Sat Aug 11, 2012 12:51
Posts: 2
Post Re: Ownership, Permissions and User Mapping woes
Jean-Pierre,

Merci pour votre reponse rapide.

Quote:
Quote:
Quote:
In Windows I have created two users (...-1000, ...-1004) and a group (...-1006). The two users are both members of the new group, as well as the default users group;

So each user is a member of two groups : the default one (-513) and another one (-1006).


I double checked, and actually:
...-1000 is a member of Administrators (...-544) and ...-1006
...-1004 is a member of Users (...-545) and ...-1006.

net localgroup ...-513 reports that "The specified local group does not exist."
psgetsid.exe ...-513 reports that the group is localmachine\None!

Quote:
Code:
Quote:
:users:S-1-5-21-2673249586-1243819082-2635891356-1006
:users:S-1-5-21-2673249586-1243819082-2635891356-513

This is wrong, the group users has two meanings.

OK, but I was following the advice in the Ownership and Permissions documentation:
Quote:
Though several SID may be defined for a uid, only the first one is currently set as the owner of a file as defined in file creation or chown

Which implies that multiple Windows SIDs may be assigned to one Linux ID (I assumed that it would work for gid), so that either windows ID would map to Linux gid "users", but understood that 'chgrp users' would set the group SID to ...-1006, the first one in my UserMapping.

Quote:
Note : do you really need two groups ? I would get rid of -1006 and make "users" be the default group of both users

Possibly not... All new Windows users without Admin rights are members of Users. I wanted to tighten things up a little by creating a new group that I can assign any Windows users to, who then all have common privileges of Full Control (on this data partition), whether they are Administrators or Users!
User ...-1000 is an Administrator, whilst user...-1004 is in Users!

Quote:
Quote:
Quote:
But the mounted partition has permissions and owners:
dr-xr-xr-x 1 root root
-r-xr-xr-x 1 root root

This is probably the default state, the mountpoint does not matter much, except for creating the first level directories (which root has to create and then chown to the desired user). Do not change the ownership and permissions of root directory itself unless really needed.

I should have been more precise: those are the permissions of the directories and files in the mounted NTFS partition, not the permissions of the mount point! They are owned by ...-1000, so why do they show up as Linux root? Is it because the Windows group is Administrators?

Quote:
Quote:
Quote:
Why aren't my files showing up with permissions and owners:
drwxrwxr-x 1 1000 users
-rw-rw-r-- 1 1000 users

This looks correct to me (assuming the uid of the user who created the files is 1000, and his/her group is users, as your user mapping file suggests).
Quote:
Quote:
Is my problem that the Group SID is that of Local admins?

Yes, this means that the Linux user who created this file is not defined in the user mapping file, so the root group was used instead.

So this is where things seem to get awkward: Windows users have an SID, Windows groups have an SID; Windows files have 2 "owner" SIDs a user and a group (as listed by secaudit), but http://support.microsoft.com/kb/262965 says:
Quote:
Each file in UNIX has an associated owner and group. File permissions are then assigned to the owner of the file, the file's group, and then to all others. ... In the Windows NT and Windows 2000 NTFS file system, each file also has an owner and a primary group. The primary group of a file is not used by the Win32 subsystem, but is present for programs that make use of the POSIX subsystem.

I have not been able to find any tool in Windows that will display, or manipulate, the (primary) group that a file belongs to: I can only change the user that a file belongs to. It appears that the file's group becomes the primary group of the owner, i.e., Administrators for ...-1000 and Users for ...-1004! In Windows 7 Home Premium I cannot find a way of changing a users primary group, I can merely assign and delete membership of a user to different groups.
So it seems to me that the Windows file group SID (reported by secaudit) is of little use, as there isn no way of controlling it natively in Windows. But it appears to be causing NTFS-3g to assign Linux ownership to root:root, irrespective of the Windows file owner SID?!?
Quote:
Quote:
Quote:
Is my problem that the Group SID is that of Local admins?

Yes, this means that the Linux user who created this file is not defined in the user mapping file, so the root group was used instead.

But the Owner SID ...-1000 does map to a Linux user (uid 1000), as per the UserMapping file!

For users I expect:
Code:
1000::S-1-5-21-2673249586-1243819082-2635891356-1000
1001::S-1-5-21-2673249586-1243819082-2635891356-1004


Regards,

Ian


Sun Aug 12, 2012 02:47
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Ownership, Permissions and User Mapping woes
Hi,

I do not have a clear view of your configuration, I cannot suggest further...

As requested previously, please create on Windows a file by each user, and post the output of "secaudit -v" (hexadecimal data) for each of them. Also log in into each Linux user account and post the output of command "id", then tell which Linux user and group should map which Windows user and group.
Quote:
I double checked, and actually:
...-1000 is a member of Administrators (...-544) and ...-1006
...-1004 is a member of Users (...-545) and ...-1006.

Ok, but which group is the default one ? If it is -544 or -545 they cannot be mapped to Linux groups.
Quote:
Which implies that multiple Windows SIDs may be assigned to one Linux ID (I assumed that it would work for gid), so that either windows ID would map to Linux gid "users", but understood that 'chgrp users' would set the group SID to ...-1006, the first one in my UserMapping.

Ok, but this is a workaround for a clumsy mapping.
Quote:
I should have been more precise: those are the permissions of the directories and files in the mounted NTFS partition, not the permissions of the mount point! They are owned by ...-1000, so why do they show up as Linux root? Is it because the Windows group is Administrators?

This could explain the root group, not the root owner. There must be another explanation.
Quote:
So this is where things seem to get awkward: Windows users have an SID, Windows groups have an SID; Windows files have 2 "owner" SIDs a user and a group (as listed by secaudit), but http://support.microsoft.com/kb/262965 says:

Windows and Linux have different permission concepts. Windows does not use owner and group to make decisions to access a file (it uses ACLs which define who is allowed to do what), nevertheless it stores them and Linux uses them.
Quote:
I have not been able to find any tool in Windows that will display, or manipulate, the (primary) group that a file belongs to: I can only change the user that a file belongs to.

secaudit is also usable on Windows to display ownership and permission. It can also change permissions, but not ownership. Anyway what really matters is how files are created.
Quote:
It appears that the file's group becomes the primary group of the owner, i.e., Administrators for ...-1000 and Users for ...-1004! In Windows 7 Home Premium I cannot find a way of changing a users primary group, I can merely assign and delete membership of a user to different groups.

I have never seen Windows creating files whose group is Administrator, if it were so, the Linux group has to be root : built-in users and groups cannot be mapped.

Regards

Jean-Pierre


Sun Aug 12, 2012 10:51
Profile

Joined: Sat Aug 11, 2012 12:51
Posts: 2
Post Re: Ownership, Permissions and User Mapping woes
Jean-Pierre,

Sorry I didn't post the secaudit outputs earlier, but I hadn't got around to booting into Win7 to create the files.

Before I booted into Win7, whilst in Linux with the partition mounted:
Code:
ntfs-3g   inherit,windows_names,locale=en_GB.UTF-8

and UserMapping:
Code:
ian::S-1-5-21-2673249586-1243819082-2635891356-1000
julia::S-1-5-21-2673249586-1243819082-2635891356-1004
:users:S-1-5-21-2673249586-1243819082-2635891356-1006
:users:S-1-5-21-2673249586-1243819082-2635891356-513
::S-1-5-21-2673249586-1243819082-2635891356-10000

I executed:
Code:
chown ian:users -R
chmod -R 775

on the root of the mounted partition, and let ntfs-3g set the ACLs for the NTFS files.

In Win7 I created a file whilst logged in as each user. The secaudit outputs are:
Code:
secaudit 1.3.17 : NTFS security data auditing
File /windows/E/Perms_test_ian.txt
        000000  01000480 b8000000 d4000000 00000000
        000010  14000000 0200a400 06000000 01001400
        000020  20000000 01010000 00000001 00000000
        000030  00002400 ff011f00 01050000 00000005
        000040  15000000 328d569f 4a2c234a 9c821c9d
        000050  e8030000 00002400 ff011200 01050000
        000060  00000005 15000000 328d569f 4a2c234a
        000070  9c821c9d ee030000 00001400 a9001200
        000080  01010000 00000001 00000000 00001800
        000090  bf011f00 01020000 00000005 20000000
        0000a0  20020000 00001400 bf011f00 01010000
        0000b0  00000005 12000000 01050000 00000005
        0000c0  15000000 328d569f 4a2c234a 9c821c9d
        0000d0  e8030000 01050000 00000005 15000000
        0000e0  328d569f 4a2c234a 9c821c9d 01020000
Computed hash : 0xe422cf87
Windows attrib : 0x20
Interpreted Unix owner 1000, group 100, mode 0644
No errors were found

secaudit 1.3.17 : NTFS security data auditing
File /windows/E/Perms_test_julia.txt.txt
        000000  01000480 b8000000 d4000000 00000000
        000010  14000000 0200a400 06000000 01001400
        000020  20000000 01010000 00000001 00000000
        000030  00002400 ff011f00 01050000 00000005
        000040  15000000 328d569f 4a2c234a 9c821c9d
        000050  e8030000 00002400 ff011200 01050000
        000060  00000005 15000000 328d569f 4a2c234a
        000070  9c821c9d ee030000 00001400 a9001200
        000080  01010000 00000001 00000000 00001800
        000090  bf011f00 01020000 00000005 20000000
        0000a0  20020000 00001400 bf011f00 01010000
        0000b0  00000005 12000000 01050000 00000005
        0000c0  15000000 328d569f 4a2c234a 9c821c9d
        0000d0  ec030000 01050000 00000005 15000000
        0000e0  328d569f 4a2c234a 9c821c9d 01020000
Computed hash : 0xe4a2cf87
Windows attrib : 0x20
== Linux owner is different from Windows owner
Interpreted Unix owner 1000, group 100, mode 0644
No errors were found

The outputs of id are:
Code:
uid=1000(ian) gid=100(users) groups=100(users),33(video)
uid=1001(julia) gid=100(users) groups=100(users),33(video)


So ian is correctly mapped as the owner of /windows/E/Perms_test_ian.txt, whilst ian is incorrectly mapped as the owner of /windows/E/Perms_test_julia.txt.txt when julia is the owner! secaudit even says:
Quote:
== Linux owner is different from Windows owner

But the Linux perms are -rw-r--r--. and not -rwxrwxr--, which is what the parent is!

I have also run secaudit on files in the Win7 users "home" directories. The permissions are 0700, ian is correctly mapped as the user for ian, whilst root is incorrectly mapped as the user for julia, although it doesn't note the difference between Linux and Widnows owners:
Code:
secaudit 1.3.17 : NTFS security data auditing
File /windows/C/Documents and Settings/ian/Documents/desktop.ini
        000000  01000480 6c000000 88000000 00000000
        000010  14000000 02005800 03000000 00001400
        000020  ff011f00 01010000 00000005 12000000
        000030  00001800 ff011f00 01020000 00000005
        000040  20000000 20020000 00002400 ff011f00
        000050  01050000 00000005 15000000 328d569f
        000060  4a2c234a 9c821c9d e8030000 01050000
        000070  00000005 15000000 328d569f 4a2c234a
        000080  9c821c9d e8030000 01050000 00000005
        000090  15000000 328d569f 4a2c234a 9c821c9d
        0000a0  01020000
Computed hash : 0x012c039c
Windows attrib : 0x26
Interpreted Unix owner 1000, group 100, mode 0700
No errors were found

secaudit 1.3.17 : NTFS security data auditing
File /windows/C/Documents and Settings/julia/Documents/desktop.ini
        000000  01000480 6c000000 88000000 00000000
        000010  14000000 02005800 03000000 00001400
        000020  ff011f00 01010000 00000005 12000000
        000030  00001800 ff011f00 01020000 00000005
        000040  20000000 20020000 00002400 ff011f00
        000050  01050000 00000005 15000000 328d569f
        000060  4a2c234a 9c821c9d ec030000 01050000
        000070  00000005 15000000 328d569f 4a2c234a
        000080  9c821c9d ec030000 01050000 00000005
        000090  15000000 328d569f 4a2c234a 9c821c9d
        0000a0  01020000
Computed hash : 0x01ac139c
Windows attrib : 0x26
Interpreted Unix owner 0, group 100, mode 0700
No errors were found


What I want is to have 2 users: ian & julia in both Linux and Windows; in Linux they are both members if of the group users, in Windows they are both members of the group with SID ...-1006, as well as the default users group, and perhaps Administrators or Power Users. I want the files to be rwx by both users, so in Linux terms to be -rwxrwxr--, and equivalent accessibility in Windows. I also want the files' owner (creator) to be correctly identified, as ian or julia in both OS's.

Once again thank you for your help, and sorry if I'm being obtuse. As the owners and perms are clearly not as I expect, are the rules that ntfs-3g uses to map users and permissions from the Windows owner, group, and ACLs to Linux documented anywhere? It might help me to understand what is going on!

Regards,

Ian


Sun Aug 12, 2012 20:53
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Ownership, Permissions and User Mapping woes
Hi,

Quote:
Sorry I didn't post the secaudit outputs earlier, but I hadn't got around to booting into Win7 to create the files

No problem. I now have a better view of your configuration. I still do not understand why the group of your files is shown as root, so let us go step by step.
Quote:
I executed:
chown ian:users -R
chmod -R 775

Doing chmod or chown on a directory changes the inheritance rules used by Windows (and Linux, as you are using inherit). Nothing wrong, do not change yet.
Quote:
In Win7 I created a file whilst logged in as each user. The secaudit outputs are:

These files are in the standard group -513 (local users). You have not been able to set a new default group (I cannot either, we have to live with it), so you try to make -1006 a synonym of -513 (should be possible).
Code:
File /windows/E/Perms_test_ian.txt
Interpreted Unix owner 1000, group 100, mode 0644

Roughly ok (though you wanted mode 664 or 774)
Quote:
File /windows/E/Perms_test_julia.txt.txt
== Linux owner is different from Windows owner
Interpreted Unix owner 1000, group 100, mode 0644

Here you are trapped by an inheritance side effect. The parent directory (root directory) has an inheritance rule which give ian full rights over the created files, without giving similar rights to julia, so the better approximation in Linux is to consider ian as the owner of the files. This looks strange, but it is just trying to match Windows behavior.

IMHO the easiest way to avoid this is to make directories in which files may be created by several users as owned by root. Try the following (without changing the user mapping or mount options) :

On Linux, create a new directory owned by root:root with permissions 777 (or owned by root:users with permissions 0774 ?), in this directory create files by each Linux user and check permissions. If ok, create files in the same directory by each Windows users and check permissions.

This will probably not satisfy all your requirements, we will go further if successful.

Quote:
The outputs of id are:
uid=1000(ian) gid=100(users) groups=100(users),33(video)
uid=1001(julia) gid=100(users) groups=100(users),33(video)

Ok, do not change (I assume group 33 not having to be mapped).
Quote:
But the Linux perms are -rw-r--r--. and not -rwxrwxr--, which is what the parent is!

Inheritance does not mean copying the permissions of the parent directory : it means applying rules defined in the parent directory.
Quote:
File /windows/C/Documents and Settings/julia/Documents/desktop.ini
Interpreted Unix owner 0, group 100, mode 0700

The interpreted owner is wrong, I do not know why. Does "ls -l" display the correct owner ?
Quote:
What I want is to have 2 users: ian & julia in both Linux and Windows; in Linux they are both members if of the group users, in Windows they are both members of the group with SID ...-1006, as well as the default users group, and perhaps Administrators or Power Users. I want the files to be rwx by both users, so in Linux terms to be -rwxrwxr--, and equivalent accessibility in Windows. I also want the files' owner (creator) to be correctly identified, as ian or julia in both OS's.

The above procedure should not be far from what you want. If successful, we will try defining generic inheritance rules and/or Posix ACLs. You will need the latest ntfs-3g release (2012.1.15AR.6).
Quote:
As the owners and perms are clearly not as I expect, are the rules that ntfs-3g uses to map users and permissions from the Windows owner, group, and ACLs to Linux documented anywhere? It might help me to understand what is going on!

No real documentation, I am afraid. Sorry.

Regards

Jean-Pierre


Mon Aug 13, 2012 10:31
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Ownership, Permissions and User Mapping woes
Hi,

Quote:
File /windows/C/Documents and Settings/julia/Documents/desktop.ini
Interpreted Unix owner 0, group 100, mode 0700

I could not replicate this behavior. This is in a different partition, maybe its user mapping file is not like the one you posted.

Regards

Jean-Pierre


Tue Aug 14, 2012 09:17
Profile

Joined: Sat Aug 11, 2012 12:51
Posts: 2
Post Re: Ownership, Permissions and User Mapping woes
Jean-Pierre

Quote:
Quote:
File /windows/C/Documents and Settings/julia/Documents/desktop.ini
Interpreted Unix owner 0, group 100, mode 0700

I could not replicate this behavior. This is in a different partition, maybe its user mapping file is not like the one you posted.

Of course, that partition is mounted with fmask, dmask, and gid options, and no UserMapping file! Sorry!

Quote:
These files are in the standard group -513 (local users). You have not been able to set a new default group (I cannot either, we have to live with it), so you try to make -1006 a synonym of -513 (should be possible).

I think you need AD user management tools in Windows to change the primary (default?) group: http://technet.microsoft.com/en-us/libr ... 10%29.aspx

Quote:
On Linux, create a new directory owned by root:root with permissions 777 (or owned by root:users with permissions 0774 ?), in this directory create files by each Linux user and check permissions. If ok, create files in the same directory by each Windows users and check permissions.

Code:
drwxrwxr-- 1 root users 4096 Aug 14 00:21 /windows/E/Perms_test_root_users/
/windows/E/Perms_test_root_users:
-rw-rw-r-- 1 ian   users 0 Aug 14 00:00 perms_test_ian_lin.txt
-rw-r--r-- 2 ian   users 0 Aug 14 00:19 perms_test_ian_win.txt
-rw-rw-r-- 1 ian   users 0 Aug 14 00:00 perms_test_julia_lin.txt
-rw-r--r-- 2 julia users 0 Aug 14 00:21 perms_test_julia_win.txt

So I get the permissions I want for files created in Linux, but not the correct owners. Whilst I get the correct owners for files created in Windows, but not the correct permissions!

Just double checked the perms of two new files created in Linux by Julia, and they appear to be correct:
Code:
/windows/E/Perms_test_root_users:
total 0
-rw-rw-r-- 1 ian   users 0 Aug 14 00:00 perms_test_ian_lin.txt
-rw-r--r-- 2 ian   users 0 Aug 14 00:19 perms_test_ian_win.txt
-rw-rw-r-- 1 julia users 0 Aug 15 01:13 perms_test_julia_lin2.txt
-rw-rw-r-- 1 julia users 0 Aug 15 01:14 perms_test_julia_lin3.txt
-rw-rw-r-- 1 ian   users 0 Aug 14 00:00 perms_test_julia_lin.txt
-rw-r--r-- 2 julia users 0 Aug 14 00:21 perms_test_julia_win.txt

So actually all I need to do is to get Windows to give the correct group permissions...

Looks like we're nearly there!

Secaudit indicates that the Linux file's group is ...-1006 (my new group), whilst the Windows file's group is ...-513 the built in (domain) users:
Code:
File /windows/E/Perms_test_root_users/perms_test_ian_lin.txt
        000000  01000480 ac000000 c8000000 00000000
        000010  14000000 02009800 06000000 01001400
        000020  20000000 01010000 00000001 00000000
        000030  00001800 ff011f00 01020000 00000005
        000040  20000000 20020000 00002400 ff011200
        000050  01050000 00000005 15000000 328d569f
        000060  4a2c234a 9c821c9d ee030000 00001400
        000070  89001200 01010000 00000001 00000000
        000080  00001800 bf011f00 01020000 00000005
        000090  20000000 20020000 00001400 bf011f00
        0000a0  01010000 00000005 12000000 01050000
        0000b0  00000005 15000000 328d569f 4a2c234a
        0000c0  9c821c9d e8030000 01050000 00000005
        0000d0  15000000 328d569f 4a2c234a 9c821c9d
        0000e0  ee030000
Computed hash : 0x2efb0043
Windows attrib : 0x20
Interpreted Unix owner 1000, group 100, mode 0664

File /windows/E/Perms_test_root_users/perms_test_ian_win.txt
        000000  01000480 ac000000 c8000000 00000000
        000010  14000000 02009800 06000000 01001400
        000020  20000000 01010000 00000001 00000000
        000030  00001800 ff011f00 01020000 00000005
        000040  20000000 20020000 00002400 ff011200
        000050  01050000 00000005 15000000 328d569f
        000060  4a2c234a 9c821c9d ee030000 00001400
        000070  89001200 01010000 00000001 00000000
        000080  00001800 bf011f00 01020000 00000005
        000090  20000000 20020000 00001400 bf011f00
        0000a0  01010000 00000005 12000000 01050000
        0000b0  00000005 15000000 328d569f 4a2c234a
        0000c0  9c821c9d e8030000 01050000 00000005
        0000d0  15000000 328d569f 4a2c234a 9c821c9d
        0000e0  01020000
Computed hash : 0x2efafe56
Windows attrib : 0x20
Interpreted Unix owner 1000, group 100, mode 0644

So perhaps I need to abandon my idea of another group, and just go back to the Windows default!

Thanks for all your help.

Regards,

Ian


Wed Aug 15, 2012 02:33
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Ownership, Permissions and User Mapping woes
Hi,

Quote:
I think you need AD user management tools in Windows to change the primary (default?) group: http://technet.microsoft.com/en-us/libr ... 10%29.aspx

Probably so...
Quote:
Just double checked the perms of two new files created in Linux by Julia, and they appear to be correct:
So actually all I need to do is to get Windows to give the correct group permissions...
Looks like we're nearly there!

However this is not satisfactory, because it relies on the parent directory being owned by root : if either user creates a subdirectory, this user will own the subdirectory and the inheritance will make the files created within the subdirectory owned by this user, whatever user had created the file. To avoid this you need a special inheritance rule (creator-owner) which makes created files be owned by the creator. More on this below.
Quote:
So perhaps I need to abandon my idea of another group, and just go back to the Windows default!

Do not resign yet ! Your experience may be useful to other users, possibly through some upgrading of ntfs-3g.

The issue is essentially caused by Windows inheritance, so you have to tailor the rules used by Windows to your needs, and get an acceptable behavior on Linux.

As a second step, I suggest to use a generic creator-owner rule so that ownership is correctly set within subdirectories. However I found ntfs-3g to be buggy on that rule, and you have to apply the attached patch before trying.

To set the rule, replace "some-directory" in the shell script below by the path to some test directory, then execute the script.
Code:
ACL=`echo \                   
           01000494 b8000000 d4000000 00000000 \
           14000000 0200a400 06000000 00002400 \
           ff011f00 01050000 00000005 15000000 \
           328d569f 4a2c234a 9c821c9d e8030000 \
           000b1400 ff011f00 01010000 00000003 \
           00000000 00032400 bf011200 01050000 \
           00000005 15000000 328d569f 4a2c234a \
           9c821c9d 01020000 00031400 89001200 \
           01010000 00000001 00000000 00031800 \
           ff011f00 01020000 00000005 20000000 \
           20020000 00031400 ff011f00 01010000 \
           00000005 12000000 01050000 00000005 \
           15000000 328d569f 4a2c234a 9c821c9d \
           e8030000 01050000 00000005 15000000 \
           328d569f 4a2c234a 9c821c9d 01020000 | sed -e 's/ //g'`
echo $ACL
setfattr -n system.ntfs_acl -v 0x$ACL some-directory

Below is the Windows view of this ACL (the SIDs are shown as unknown, because they are yours, not mine).
Attachment:
ienichols.gif
ienichols.gif [ 21.71 KiB | Viewed 25038 times ]

With this ACL, ownership should be correct for files created in subdirectories. If satisfactory, such an ACL could be created by a plain chown when Windows inheritance is selected, but I need your feedback first.

Your requirement about the file groups will still not be met. To get it approximated, Posix ACLs will be needed, so when applying the patch, be sure to configure with option --enable-posix-acls before compiling.

Regards

Jean-Pierre


Attachments:
acls.c.patch72.gz [744 Bytes]
Downloaded 871 times
Wed Aug 15, 2012 09:34
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Ownership, Permissions and User Mapping woes
Hi,

Using Posix ACLs is probably a better way to meet your requirements. This implies you are not using the inherit option on Linux (this option leads to problems when root creates a directory, which should not happen in Windows).

I assume you have three users : ian, julia and guest. All of them are in group -513 in Windows (unavoidable there), which is mapped to group users in Linux. ian and julia are also in group family in both system, but on Linux this is their default group. On Windows the group family is -1006.

In the base directory, you create a default ACL (this is the base for inheritance in both systems) such that group users/-513 has only read rights, and group family has full rights (guest is not allowed to create files in this directory).

The setfacl command looks like :
Code:
setfacl -m "d:u::7,d:g::7,d:m::7,d:o::4,d:g:family:7,d:g:users:4" base-directory

Due to inheritance rules, files created on Windows will appear in group users, and they may appear with a wrong owner (but access rights should be correct, owing to the supplementary group), and directories created by root on Linux might be denied access on Windows.

With only two special users, you may avoid supplementary groups by setting inheritance rights to both users ian and julia :
Code:
setfacl -m "d:u::7,d:g::4,d:m::7,d:o::4,d:u:ian:7,d:u:julia:7" base-directory


Regards

Jean-Pierre


Thu Aug 16, 2012 09:54
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin.