FAQ SearchLogin
Tuxera Home
View unanswered posts | View active topics It is currently Sat May 15, 2021 03:00



Post new topic Reply to topic  [ 18 posts ] 
user mapping question - domains 
Author Message

Joined: Fri May 07, 2010 19:28
Posts: 10
Post user mapping question - domains
A Windows 7 PC is configured as follows:

Code:
local accounts:
  administrator
  common
domain accounts:
  (many)

The PC dual boots and has its two NTFS partitions mounted under linux (Mandriva 2010.0) as "/cwindows" and "/scratch". The latter doesn't need any file protections. However, for the former, either of these two mappings would be acceptable:

Code:
  root -> local/administrator
  (all others) -> local/common

or

Code:
  root -> local/administrator
(all others) -> domain/(corresponding name)

The domain logins are handled through a Samba server. There is a 1:1 correspondence between linux NIS passwd entries and smbpasswd entries. That is, the username is the same on either OS, but of course all of the other information is different. (all others) is a very long list. Is there a short hand method to accomplish these mappings? I really don't want to have to create a file with hundreds of entries, which would need to be updated any time the users change. Also there are more than one of these workstations, and they are cloned, so it would be best if the usermapping was somehow able to use either the NIS or samba information, which is updated on the main server as users come and go.

Would this syntax work for the first method (above)
Code:
0:0:S-1-xxxxxxxx      #map root -> local/administrator
::S-1-yyyyyy             #everybody else  -> local/common


and is there a single line syntax something like this:
Code:
[NIS]:[NIS]:[SAMBA]  #lookup current username and map to samba entry
?
Thanks.


Fri May 07, 2010 19:46
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: user mapping question - domains
Hi,

Quote:
However, for the former, either of these two mappings would be acceptable:
Code:
  root -> local/administrator
  (all others) -> local/common

Mapping root to local/administrator (I mean SID S-1-5-32-544) is the current default. Currently unmapped accounts (uids) are considered as root, because system processes frequently need root access to files. At least some restriction to user accounts would be needed (could be in the form of "uid >= 500")
Quote:
Code:
  root -> local/administrator
(all others) -> domain/(corresponding name)

Currently this can only be done by providing the individual mappings.

Quote:
(all others) is a very long list. Is there a short hand method to accomplish these mappings? I really don't want to have to create a file with hundreds of entries, which would need to be updated any time the users change.

If there is a simple way to get the SID for each username and conversely, ntfs-3g could be adapted to use it. If this implies logging in into some ldap server and submitting ldap queries, this should be concealed into some system call, otherwise we would run into unreasonable configuration problems.
Quote:
Would this syntax work for the first method (above)

Code:
0:0:S-1-xxxxxxxx      #map root -> local/administrator
::S-1-yyyyyy             #everybody else  -> local/common

The first line is unneeded, root is always mapped to S-1-5-32-544. What is the SID you need for "local/common" ?
Quote:
and is there a single line syntax something like this:
Code:
[NIS]:[NIS]:[SAMBA]  #lookup current username and map to samba entry

Not yet, and as I do not have Samba available, it will require your cooperation. For example you provide some script or code to build the UserMapping file from smbpasswd entries.

Regards

Jean-Pierre


Sun May 09, 2010 19:01
Profile

Joined: Fri May 07, 2010 19:28
Posts: 10
Post Re: user mapping question - domains
Quote:
The first line is unneeded, root is always mapped to S-1-5-32-544. What is the SID you need for "local/common" ?


Google for that number and find:

http://support.microsoft.com/kb/243330

Aha, so I guess the whole file would be:

::S-1-5-32-545

which would map everybody except root to the "users" group. I will give that a try.

Quote:
If there is a simple way to get the SID for each username and conversely, ntfs-3g could be adapted to use it.


I'm not sure actually. The smbpasswd file has the username and md5 hashed password. Looking at the two local accounts (administrator and the common login account) the former was "S-1-5-21-<domain>-1000" and the latter "S-1-5-21-<domain>-500" , so I am guessing that Samba makes these accounts show up as something like "S-1-5-21-<samba domain>-UID". Best to ask the samba developers though, I'm just guessing.


Mon May 10, 2010 22:27
Profile

Joined: Fri May 07, 2010 19:28
Posts: 10
Post Re: user mapping question - domains
Quote:
Aha, so I guess the whole file would be:

::S-1-5-32-545


Very wrong. That caused "There were no valid user or no valid group" on the mount. So changed it to:

Code:
::S-1-5-21-1190592468-3408288720-4102432386-1000

where that long string was what showed up for the common account under HKEY_LOCAL_MACHINE\Softwre\Microsoft\WindowsNT\CurrentVersion\Profilelist
to the common account. Unmounted and remounted the ntfs.

That got rid of the "no valid user" messages. Still doesn't work now. Now the common user ("bi1") has limited read access and no write access. For instance
Code:
ls -al /cwindows/Users/bi1/AppData/Local/Temp
ls: cannot access /cwindows/Users/bi1/AppData/Local/Temp: Permission denied
touch /cwindows/Users/bi1/AppData/Local/Temp/foo
touch: cannot touch `/cwindows/Users/bi1/AppData/Local/Temp/foo': Permission denied


This is consistent with the protection masks root displays though:

Code:
ls -al /cwindows/Users/bi1/AppData/Local/Temp
total 68
drwx------ 1 root root  4096 2010-05-07 11:52 ./
drwx------ 1 root root  4096 2010-05-06 10:28 ../
-rwx------ 1 root root 49208 2010-05-04 14:12 bi1.bmp*
-rwx------ 2 root root     0 2010-05-04 13:51 FXSAPIDebugLogFile.txt*
drwx------ 1 root root     0 2010-05-04 13:51 Low/
-rwx------ 2 root root   800 2010-05-04 14:04 StructuredQuery.log*
-rwx------ 1 root root   967 2010-05-06 10:28 wmsetup.log*
drwx------ 1 root root     0 2010-05-06 10:28 WPDNSE/


Note though that that cannot possibly be right, since this is Bi1 's temp directory, and that account absolutely has write access, and most likely ownership, of everything in it.

This is on Mandriva 2010.0. It originally had ntfs-3g 2009.4.4-2, but I upgraded that to 2010.3.6-1 before trying any of this.

Suggestions? Thanks.


Mon May 10, 2010 23:06
Profile

Joined: Fri May 07, 2010 19:28
Posts: 10
Post Re: user mapping question - domains
OK, got it to work sort of, but now I see the problem - there is no mechanism which will map "everybody but root" to a single account (SID). For instance, a UserMapping with

uid1:gid1:<SID of Bi1>
uid2::<SID of Bi1>
:gid2:<SID of Bi1>

was set up. When logged in as the account corresponding to uid1/gid1 ("software") protections worked properly, the files owned by Bi1 (the windows account) showed up as being owned by software:root. So not exactly the same as linux, but close enough since the UID part matches. However, logging into accounts corresponding to uid2 (line 2) and gid2 (line 3) still showed those same files as software:root ownership, so they didn't obtain access. I had previously shown that

::<SID of Bi1>

does not work for any of these users, with all files belonging to root. So it looks like ntfs-3g would need a code change to do what I want. Probably most unix/linux types would expect the line above to match any gid/uid pair (except root, in this case, since that is implicitly mapped.)

Is there some reason we can't have wildcards in both uid and gid???


Tue May 11, 2010 00:03
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: user mapping question - domains
Hi,

Quote:
OK, got it to work sort of, but now I see the problem - there is no mechanism which will map "everybody but root" to a single account (SID).

True.
Quote:
uid1:gid1:<SID of Bi1>
uid2::<SID of Bi1>
:gid2:<SID of Bi1>

was set up. When logged in as the account corresponding to uid1/gid1 ("software") protections worked properly, the files owned by Bi1 (the windows account) showed up as being owned by software:root.

This is because your mapping is one-way. When a file is marked as owned by <SID of Bi1> ntfs-3g cannot guess whether it means owned by uid1 or owned by uid2 (in this case the first match is used).

Quote:
does not work for any of these users, with all files belonging to root. So it looks like ntfs-3g would need a code change to do what I want.

True. What you want is not available.

Quote:
Is there some reason we can't have wildcards in both uid and gid???

Yes, there are reasons. The main point is that I need some way to translate uids and gids to SIDs and conversely, and I cannot do it without a table or formulae to translate in both directions.
Actually there is a generic way. It implies forcing the uids for each account so that they are computable from the SIDs and conversely. For instance, with the line you have tried to use :
Code:
::S-1-5-21-1190592468-3408288720-4102432386-1000

the uid 1234 is two-way mapped to the SID S-1-5-21-1190592468-3408288720-4102432386-3468 where 3468 = 1000+2*1234

If you accept forcing the Linux uid when creating a Linux account, this could be the base for a solution. If not, I definitely need a two-way formula, table or system call.

Also can you post the ACLs for two files created by two different users through Samba, so that I can check specific parameters set by Samba.
Code:
# with mounted partition (may fail with inappropriate usermapping)
secaudit -v <full path to file>
# with unmounted partition, and as root
secaudit -v <device> <path relative to root of file system>

Please post the hexadecimal data returned for files owned by two different users (best from different domains), and also indicate their numeric uids.

Regards

Jean-Pierre


Tue May 11, 2010 09:10
Profile

Joined: Fri May 07, 2010 19:28
Posts: 10
Post Re: user mapping question - domains
jpa wrote:
# with unmounted partition, and as root
secaudit -v <device> <path relative to root of file system>


Sorry about the delay, all sorts of other Samba issues cropped up along the way. (For instance, roaming profiles still are not working right on this Windows 7 Professional system). Two domain users drm (uid=2070) and mathog (uid=2005) each made a text file whose secaudit output is shown below. (I typo'd the name of the drm one, so it's just dm). Before doing this I verified from the Administrator account that the files were indeed owned by saf\mathog and saf\drm. This was done as root, and the volume was not mounted, but it does have a .ntfs-3g directory, just in case that matters.

Code:
secaudit 1.3.16 : NTFS security data auditing
File Temp/dm_madethis.txt
Security key : 0x40f
        000000  01000484 74000000 90000000 00000000
        000010  14000000 02006000 04000000 00101800
        000020  ff011f00 01020000 00000005 20000000
        000030  20020000 00101400 ff011f00 01010000
        000040  00000005 12000000 00101800 a9001200
        000050  01020000 00000005 20000000 21020000
        000060  00101400 bf011300 01010000 00000005
        000070  0b000000 01050000 00000005 15000000
        000080  05fb6bd9 d378c476 edef5990 14140000
        000090  01050000 00000005 15000000 05fb6bd9
        0000a0  d378c476 edef5990 01020000
Computed hash : 0x87fbce02
Windows attrib : 0x20
Interpreted Unix owner 0, group 0, mode 0755
No errors were found

secaudit 1.3.16 : NTFS security data auditing
File Temp/mathog_madethis.txt
Security key : 0x3fd
        000000  01000484 74000000 90000000 00000000
        000010  14000000 02006000 04000000 00101800
        000020  ff011f00 01020000 00000005 20000000
        000030  20020000 00101400 ff011f00 01010000
        000040  00000005 12000000 00101800 a9001200
        000050  01020000 00000005 20000000 21020000
        000060  00101400 bf011300 01010000 00000005
        000070  0b000000 01050000 00000005 15000000
        000080  05fb6bd9 d378c476 edef5990 92130000
        000090  01050000 00000005 15000000 05fb6bd9
        0000a0  d378c476 edef5990 01020000
Computed hash : 0x77bbce02
Windows attrib : 0x20
Interpreted Unix owner 0, group 0, mode 0755
No errors were found


Both of these are members of the "SAF" domain.

The the way, I could not use this command with file names containing spaces. Attempted these three forms:
Code:
/tmp/bi1\ made\ this.txt
'/tmp/bi1 made this.txt'
'/tmp/bi1\ made\ this.txt'

and all gave "Error code 2 : No such file or directory"


Wed May 19, 2010 00:29
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: user mapping question - domains
Hi,

Quote:
Two domain users drm (uid=2070) and mathog (uid=2005) each made a text file whose secaudit output is shown below. (I typo'd the name of the drm one, so it's just dm).


The SIDs generated for these users are :
2070::S-1-5-21-3647732485-1992587475-2421813229-5140
2005::S-1-5-21-3647732485-1992587475-2421813229-5010

Notice 5140 = 2*2070 + 1000 and 5010 = 2*2005 + 1000, so I suspect that the files were created by ntfs-3g with an implicit mapping. What I really need are the data for files with the desired SID, which means you have to create them through a Windows-only procedure. It would also be useful to know the default gid of the users.

Quote:
Before doing this I verified from the Administrator account that the files were indeed owned by saf\mathog and saf\drm.

Do you mean you checked as a Windows Administrator and got the expected ownerships ? If so there is an unexpected mapping somewhere which makes the job much easier.

Quote:
The the way, I could not use this command with file names containing spaces.

Must be some bug, I will check.

Regards

Jean-Pierre


Wed May 19, 2010 10:21
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: user mapping question - domains
Hi again,

Quote:
The the way, I could not use this command with file names containing spaces. Attempted these three forms:
Code:
/tmp/bi1\ made\ this.txt
'/tmp/bi1 made this.txt'
'/tmp/bi1\ made\ this.txt'

The third form is wrong : when single-quoted, the '\' means the '\' itself (the '\' being a valid character in a Linux file name)

The first and second forms are correct, but I could not reproduce the error. In your tries, what is /tmp ? Is is your global /tmp or a subdirectory of the root of the ntfs file system ? (note : for the second syntax for secaudit, a path relative to the root of the ntfs file system is expected).

Regards

Jean-Pierre


Wed May 19, 2010 15:44
Profile

Joined: Fri May 07, 2010 19:28
Posts: 10
Post Re: user mapping question - domains
jpa wrote:
The first and second forms are correct


Here is an exact log:

Something odd is going on. Went back into W7 and made a few more bi1 files. Also did this from linux:
Code:
root@saf04:~ > cd /mnt/win7_c/Temp
root@saf04:~ > mkdir dirnospaces
root@saf04:~ > mkdir 'dir with spaces'
root@saf04:~ > touch dirnospaces.txt
root@saf04:~ > touch 'dir with spaces.txt'
root@saf04:~ > cd /tmp
root@saf04:~  > ls -al /mnt/win7_c/Temp
total 1122
drwxr-xr-x 1 root  root    4096 May 19 10:21 .
d---r-xr-x 1 root  root   12288 May 19 10:18 ..
drwxr-xr-x 1 10001 root       0 May 10 14:09 bi1 made this
-rwxr-xr-x 2 10001 root      13 May 10 14:14 bi1 made this.txt
drwxr-xr-x 1 root  root       0 May 19 10:13 dir with spaces
-rw-r--r-- 1 root  root       0 May 19 10:14 dir with spaces.txt
drwxr-xr-x 1 root  root       0 May 19 10:13 dirnospace
-rw-r--r-- 1 root  root       0 May 19 10:13 dirnospace.txt
-rwxr-xr-x 2 root  root      17 May 18 14:18 dm_madethis.txt
drwxr-xr-x 1 10001 root       0 May 19 10:20 folder with spaces by b1
drwxr-xr-x 1 10001 root       0 May 19 10:20 foldernospacesbybi1
-rwxr-xr-x 2 root  root      28 May 18 14:14 mathog_madethis.txt
-rwxr-xr-x 2 10001 root       0 May 19 10:20 text with spaces by bi1.txt
-rwxr-xr-x 2 10001 root       0 May 19 10:20 textnospacesbybi1.txt
root@saf04:~ > umount /mnt/win7_c
root@saf04:~ > ntfs-3g.secaudit -v /dev/sda1 'Temp/folder with spaces by b1'
secaudit 1.3.16 : NTFS security data auditing
"/dev/sda1" opened
Directory Temp/folder with spaces by b1
Security key : 0x3b2
        000000  01000484 b4000000 d0000000 00000000
        000010  14000000 0200a000 07000000 00101800
        000020  ff011f00 01020000 00000005 20000000
        000030  20020000 001b1800 00000010 01020000
        000040  00000005 20000000 20020000 00101400
        000050  ff011f00 01010000 00000005 12000000
        000060  001b1400 00000010 01010000 00000005
        000070  12000000 00131800 a9001200 01020000
        000080  00000005 20000000 21020000 00101400
        000090  bf011300 01010000 00000005 0b000000
        0000a0  001b1400 000001e0 01010000 00000005
        0000b0  0b000000 01050000 00000005 15000000
        0000c0  d4fff646 d05b26cb 822686f4 e8030000
        0000d0  01050000 00000005 15000000 d4fff646
        0000e0  d05b26cb 822686f4 01020000
Computed hash : 0xfb2b01d3
Windows attrib : 0x10
Interpreted Unix owner 10001, group 0, mode 0755
"/dev/sda1" closed
No errors were found
root@saf04:~ > ntfs-3g.secaudit -v /dev/sda1 'Temp/foldernospacesbyb1'
secaudit 1.3.16 : NTFS security data auditing
"/dev/sda1" opened
** Could not access Temp/foldernospacesbyb1
Error code 2 : No such file or directory
"/dev/sda1" closed
** 1 error was found
root@saf04:~ > ntfs-3g.secaudit -v /dev/sda1 'Temp/textnospacesbyb1.txt'
secaudit 1.3.16 : NTFS security data auditing
"/dev/sda1" opened
** Could not access Temp/textnospacesbyb1.txt
Error code 2 : No such file or directory
"/dev/sda1" closed
** 1 error was found
root@saf04:~ > ntfs-3g.secaudit -v /dev/sda1 'Temp/text with spaces by b1.txt'
secaudit 1.3.16 : NTFS security data auditing
"/dev/sda1" opened
** Could not access Temp/text with spaces by b1.txt
Error code 2 : No such file or directory
"/dev/sda1" closed
** 1 error was found
root@saf04:~ > ntfs-3g.secaudit -v /dev/sda1 'Temp/b1 made this.txt'
secaudit 1.3.16 : NTFS security data auditing
"/dev/sda1" opened
** Could not access Temp/b1 made this.txt
Error code 2 : No such file or directory
"/dev/sda1" closed
** 1 error was found
root@saf04:~ > ntfs-3g.secaudit -v /dev/sda1 'Temp/b1 made this'
secaudit 1.3.16 : NTFS security data auditing
"/dev/sda1" opened
** Could not access Temp/b1 made this
Error code 2 : No such file or directory
"/dev/sda1" closed
** 1 error was found
root@saf04:~ > ntfs-3g.secaudit -v /dev/sda1 'Temp/dir with spaces'
secaudit 1.3.16 : NTFS security data auditing
"/dev/sda1" opened
Directory Temp/dir with spaces
Security key : 0x412
        000000  01000490 a0000000 b0000000 00000000
        000010  14000000 02008c00 06000000 01091400
        000020  20000000 01010000 00000001 00000000
        000030  00031800 ff011f00 01020000 00000005
        000040  20000000 20020000 00031800 a9001200
        000050  01020000 00000005 20000000 20020000
        000060  00031400 a9001200 01010000 00000001
        000070  00000000 00031800 bf011f00 01020000
        000080  00000005 20000000 20020000 00031400
        000090  bf011f00 01010000 00000005 12000000
        0000a0  01020000 00000005 20000000 20020000
        0000b0  01020000 00000005 20000000 20020000
Computed hash : 0xab552485
Windows attrib : 0x30
Interpreted Unix owner 0, group 0, mode 0755
"/dev/sda1" closed
No errors were found
root@saf04:~ > ntfs-3g.secaudit -v /dev/sda1 'Temp/dir with spaces.txt'
secaudit 1.3.16 : NTFS security data auditing
"/dev/sda1" opened
File Temp/dir with spaces.txt
Security key : 0x3af
        000000  01000490 8c000000 9c000000 00000000
        000010  14000000 02007800 05000000 00041800
        000020  9f011f00 01020000 00000005 20000000
        000030  20020000 00041800 89001200 01020000
        000040  00000005 20000000 20020000 00041400
        000050  89001200 01010000 00000001 00000000
        000060  00041800 bf011f00 01020000 00000005
        000070  20000000 20020000 00041400 bf011f00
        000080  01010000 00000005 12000000 01020000
        000090  00000005 20000000 20020000 01020000
        0000a0  00000005 20000000 20020000
Computed hash : 0x907f6d95
Windows attrib : 0x20
Interpreted Unix owner 0, group 0, mode 0644
"/dev/sda1" closed
No errors were found
root@saf04:~ > ntfs-3g.secaudit -v /dev/sda1 'Temp/dirnospace'
secaudit 1.3.16 : NTFS security data auditing
"/dev/sda1" opened
Directory Temp/dirnospace
Security key : 0x412
        000000  01000490 a0000000 b0000000 00000000
        000010  14000000 02008c00 06000000 01091400
        000020  20000000 01010000 00000001 00000000
        000030  00031800 ff011f00 01020000 00000005
        000040  20000000 20020000 00031800 a9001200
        000050  01020000 00000005 20000000 20020000
        000060  00031400 a9001200 01010000 00000001
        000070  00000000 00031800 bf011f00 01020000
        000080  00000005 20000000 20020000 00031400
        000090  bf011f00 01010000 00000005 12000000
        0000a0  01020000 00000005 20000000 20020000
        0000b0  01020000 00000005 20000000 20020000
Computed hash : 0xab552485
Windows attrib : 0x30
Interpreted Unix owner 0, group 0, mode 0755
"/dev/sda1" closed
No errors were found
root@saf04:~ > ntfs-3g.secaudit -v /dev/sda1 'Temp/dirnospace.txt'
secaudit 1.3.16 : NTFS security data auditing
"/dev/sda1" opened
File Temp/dirnospace.txt
Security key : 0x3af
        000000  01000490 8c000000 9c000000 00000000
        000010  14000000 02007800 05000000 00041800
        000020  9f011f00 01020000 00000005 20000000
        000030  20020000 00041800 89001200 01020000
        000040  00000005 20000000 20020000 00041400
        000050  89001200 01010000 00000001 00000000
        000060  00041800 bf011f00 01020000 00000005
        000070  20000000 20020000 00041400 bf011f00
        000080  01010000 00000005 12000000 01020000
        000090  00000005 20000000 20020000 01020000
        0000a0  00000005 20000000 20020000
Computed hash : 0x907f6d95
Windows attrib : 0x20
Interpreted Unix owner 0, group 0, mode 0644
"/dev/sda1" closed
No errors were found


The programs are from an RPM ntfs-3g-2010.3.6-1.6.i586
and secaudit shows its version as 1.3.16.


Wed May 19, 2010 19:37
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: user mapping question - domains
Hi,

Quote:
Something odd is going on.

Really ?

Code:
-rwxr-xr-x 2 10001 root       0 May 19 10:20 textnospacesbybi1.txt
...
** Could not access Temp/foldernospacesbyb1


Code:
-rwxr-xr-x 2 10001 root       0 May 19 10:20 text with spaces by bi1.txt
...
** Could not access Temp/text with spaces by b1.txt


Code:
-rwxr-xr-x 2 10001 root      13 May 10 14:14 bi1 made this.txt
...
** Could not access Temp/b1 made this.txt


Code:
drwxr-xr-x 1 10001 root       0 May 10 14:09 bi1 made this
...
** Could not access Temp/b1 made this


bi1 is not the same as b1...

Regards

Jean-Pierre


Wed May 19, 2010 21:38
Profile

Joined: Fri May 07, 2010 19:28
Posts: 10
Post Re: user mapping question - domains
jpa wrote:

bi1 is not the same as b1...


Aargh! Sorry about that.

Was the secaudit information from the two domain users' files of any help?


Thu May 20, 2010 00:41
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: user mapping question - domains
Hi,

Quote:
Was the secaudit information from the two domain users' files of any help?

Well, so far you have posted the acls of
1) two files by dm and mathog, which I suspect to have been created on Linux (which you have not confirmed)
2) a file created by b1/bi1 whose owner and group are :
S-1-5-21-1190592468-3408288720-4102432386-1000
S-1-5-21-1190592468-3408288720-4102432386-513
3) several directories ('Temp/dir with spaces' etc.) created by an administrator or Linux root

So, I do not consider having received two user files from different domains, and cannot conclude.

I suspect that the SIDs for different domains are randomly generated, and there is no hope of making an automated mapping if the mapping does not exist anywhere.

If so, would you consider the following procedure as acceptable ?

"Whenever a new user account is created, the user is asked to create a file on the target ntfs volume over Windows. This sample file is then renamed (not copied) by the administrator as .NTFS-3G/Users/<account name> so that ntfs-3g can analyze the file and build the mapping (at mount time)."

*edit*

Googling for this, I found there is "wbinfo", a samba tool to edit/query the user mapping. Can you try the options -u, -g, -n, -U, -G (and possibly other ones) and post results ?

Regards

Jean-Pierre


Thu May 20, 2010 09:30
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: user mapping question - domains
Hi,

Can you try the following script :
Code:
# users
wbinfo -u | sed -e "s%.*[\\]\(.*\)\$%wbinfo -U \1 | sed -e s/S/\1::S/%" > /tmp/mapping$$
chmod 755 /tmp/mapping$$
/tmp/mapping$$
# groups... use -g and -G instead


This is fully *untested* and only based on documentation. I have even no idea whether wbinfo is meaningful in your situation.

Regards

Jean-Pierre


Thu May 20, 2010 18:13
Profile

Joined: Fri May 07, 2010 19:28
Posts: 10
Post Re: user mapping question - domains
Quote:
Well, so far you have posted the acls of
1) two files by dm and mathog, which I suspect to have been created on Linux (which you have not confirmed)


Those (Temp/dm_madethis.txt and Temp/mathog_madethis.txt) were created by saf\drm and saf\mathog under Windows 7. They were checked using the
local administrator account under W7 which showed those ownerships.

The only other domain I have to work with is SAF04, the local machine, hence the bi1 files.

Quote:
Googling for this, I found there is "wbinfo", a samba tool to edit/query the user mapping. Can you try the options -u, -g, -n, -U, -G (and possibly other ones) and post results ?


Doesn't work - my server is not running winbindd. For a simple one server domain like mine winbindd isn't needed - logins and file sharing work without it. However, the domain sid can be found this way:

Code:
%  net getdomainsid
SID for local machine SAFSERVER is: S-1-5-21-3647732485-1992587475-2421813229
SID for domain SAF is: S-1-5-21-3647732485-1992587475-2421813229


Thu May 20, 2010 18:22
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: user mapping question - domains
Hi,

Quote:
Those (Temp/dm_madethis.txt and Temp/mathog_madethis.txt) were created by saf\drm and saf\mathog under Windows 7. They were checked using the
local administrator account under W7 which showed those ownerships.

This is too good to be true. It cant be a coincidence !

Quote:
The only other domain I have to work with is SAF04, the local machine, hence the bi1 files.


So the UserMapping file can just be :

Code:
bi1::dec S-1-5-21-1190592468-3408288720-4102432386-1000
:bi1:dec S-1-5-21-1190592468-3408288720-4102432386-513
:saf:S-1-5-21-3647732485-1992587475-2421813229-513
::S-1-5-21-3647732485-1992587475-2421813229-1000


You just have to replace saf in the third line by the group name or gid for drm and mathog.

If this should work (which I really doubt), some explanation has to be found. If it does not, please retry creating new files owned by drm and mathog on Windows.

Regards

Jean-Pierre


Thu May 20, 2010 19:15
Profile

Joined: Fri May 07, 2010 19:28
Posts: 10
Post Re: user mapping question - domains
jpa wrote:
So the UserMapping file can just be :

Code:
bi1::dec S-1-5-21-1190592468-3408288720-4102432386-1000
:bi1:dec S-1-5-21-1190592468-3408288720-4102432386-513
:saf:S-1-5-21-3647732485-1992587475-2421813229-513
::S-1-5-21-3647732485-1992587475-2421813229-1000


You just have to replace saf in the third line by the group name or gid for drm and mathog.


I don't understand this, especially the first two lines. bi1 is a Windows account, there is no linux account by that name, but "bi1" is entered in the UID field on one, the GID of the other. The third line - can be mathog's or drm's group, but they are in different groups. For the experiment I set it to match mathog's (biostaff). Then umount and remount.

as root, mathog, drm, or, as far as I can tell, any other account on linux:

Code:
% ls -al /mnt/windows/Temp
drwxr-xr-x 1 root   root           0 2010-05-10 14:09 bi1 made this
-rwxr-xr-x 2 root   root          13 2010-05-10 14:14 bi1 made this.txt
drwxr-xr-x 1 root   root        4096 2010-05-10 10:14 cpuburn
-rwxr-xr-x 1 root   root       21216 2010-05-10 10:13 cpuburn4.zip
drwxr-xr-x 1 root   root           0 2010-05-19 10:13 dirnospace
-rw-r--r-- 1 root   root           0 2010-05-19 10:13 dirnospace.txt
drwxr-xr-x 1 root   root           0 2010-05-19 10:13 dir with spaces
-rw-r--r-- 1 root   root           0 2010-05-19 10:14 dir with spaces.txt
-rwxr-xr-x 2 drm    biostaff      17 2010-05-18 14:18 dm_madethis.txt
drwxr-xr-x 1 root   root           0 2010-05-19 10:20 foldernospacesbybi1
drwxr-xr-x 1 root   root           0 2010-05-19 10:20 folder with spaces by b1
-rwxr-xr-x 2 mathog biostaff      28 2010-05-18 14:14 mathog_madethis.txt


So the ownership for domain users' files, created on W7, is correct. The group is shown as whatever was set on the 3rd line, which could be a security issue. I suppose though I could use a group with no members for that, then it would only match on the UID part.

There is no distinction between the bi1 files and the root files. That's OK I guess, but it would probably be better if everybody could access bi1's files, since that is a common account.

Thanks.


Fri May 21, 2010 19:44
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: user mapping question - domains
Hi,

Code:
bi1::dec S-1-5-21-1190592468-3408288720-4102432386-1000
:bi1:dec S-1-5-21-1190592468-3408288720-4102432386-513

Quote:
I don't understand this, especially the first two lines. bi1 is a Windows account, there is no linux account by that name, but "bi1" is entered in the UID field on one, the GID of the other.

The first line defined the uid and equivalent SID, the second line defines the gid and equivalent SID. I put bi1 because I thought this was the linux owner/group name. You told earlier the Linux and Windows accounts have the same names, is that not true ? You did not give the account information for bi1, and I made a wrong guess, so you should replace bi1 by appropriate gid or name.

That is probably the easy part (single user in that situation).

Quote:
The third line - can be mathog's or drm's group, but they are in different groups.

But the files you displayed (Temp/dm_madethis.txt and Temp/mathog_madethis.txt) referenced the same group whose SID is S-1-5-21-3647732485-1992587475-2421813229-513 and this is what the third line means.

Quote:
For the experiment I set it to match mathog's (biostaff). Then umount and remount.

Ok for a try, and this has the expected consequence :

Code:
-rwxr-xr-x 2 drm    biostaff      17 2010-05-18 14:18 dm_madethis.txt
-rwxr-xr-x 2 mathog biostaff      28 2010-05-18 14:14 mathog_madethis.txt

These lines prove the mapping I proposed is such that the files you made on W7 by drm and mathog are seen on Linux as owned by drm and mathog. The mapping worked as expected, based on the algorithm used by ntfs-3g to derive the SID from uid, based on the last line (the one with no uid or gid), by just adding twice the effective uid.

But are you really sure these files were really created on W7 ? It would be a very strange coincidence that the algorithm used by Samba matches the one I invented for ntfs-3g. You claim that drm and mathog are in different groups, but the files are in the same group. Are you sure the files you displayed were not created on ntfs-3g (by copying the original files) ?

Quote:
So the ownership for domain users' files, created on W7, is correct. The group is shown as whatever was set on the 3rd line, which could be a security issue. I suppose though I could use a group with no members for that, then it would only match on the UID part.

Whatever you put in this files results in ownership data for some user or some group, and all users and groups have to be mapped with no ambiguity. The full file is security sensitive. You should obviously make it only accessible to root.

Though the result may seem partially acceptable to you, it is probably fully wrong because it is based on wrong data (derived from wrong files).

So far I only imagine two ways :

1) Derive the data from the ones which Samba uses. I have made a proposal based on wbinfo which you reject, as you use "net getdomainsid" instead. I cannot help you for that, but you have to understand I need the list of users, and for each one, the uid, the gid, the user SID and the group SID. Try to translate my proposal based on wbinfo into "net getdomainsid" commands. I have no access to a Samba environment and I cannot make any try.

2) (repeated) "Whenever a new user account is created, the user is asked to create a file on the target ntfs volume over Windows. This sample file is then renamed (not copied) by the administrator as .NTFS-3G/Users/<account name> so that ntfs-3g can analyze the file and build the mapping (at mount time)."

Have a nice week-end thinking about it.

Regards

Jean-Pierre


Fri May 21, 2010 22:16
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ] 


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin.