Hi,
on Ubuntu I have compiled and installed version 2015.3.14.
On http://jp-andre.pagesperso-orange.fr/pe ... sermapping you say one should use:

On Ubuntu there is no gid 500, so now I don't know which gid I should use here.
On Ubuntu the primary group of each user is different, i.e. is the user itself:

Do you think the following would help instead:

Hi,


That is the standard Ubuntu situation : each user has his/her own primary group, whose id is the same as the user id.
But on Windows 7 (and earlier), all users are in the same group, so you cannot match them to Ubuntu users created with standard settings. You have to group the users on Ubuntu the same way as they are on Windows. To do that, you have to recreate both users on Ubuntu with the same primary group (for instance gid=1999). You may keep the current uid 1000 and 1001 and gid 1000 and 1001 as supplementary groups, so that you need not change the ownership and permissions of existing files.

This should be something similar to :

Doing that, your UserMapping file would probably be :

The last line is not mandatory, it may help in some circumstances.

As new files created by user1 and user2 will be in the same group, you may want to set umask to 0700 if you do not want users to access other users' files.

Regards

Jean-Pierre

Hi jpa,

thanks for your suggestion.

When solving the problem as you say, I see a another problem.
Doesn't this hurt the security concept of Ubuntu? When all users have the same gid as primary group, then all users have access to the data of the other users, if I understand right.

Another problem is, that the existing data of those users is assigned to there groups 1000/1001, so after changing the primary groups, the access rights situation to the existing data would change too.

So please let me suggest another proposal:
You maybe could add an additional syntax to the usermapping like:

This should be treated as: Map this group SID to the equivalent gid of each users sid.

An alternative could be:
It seems, that the SID S-1-5-21-x-y-z-513 is always the default group SID on Windows. So it may be not explicitly mapped by .NTFT-3G/UserMapping, so it could be implicitly mapped to Ubuntu's gid's if there is no mapping given in .NTFT-3G/UserMapping.
... same as root gid is always implicitly mapped to S-1-5-32-544

Hi,


This is trying to guess the gid from the owner of the file. So this is assuming all permissions are related to the owner or to other, which is a restriction to using groups for sharing files.

Also do not forget the group mapping issue disappears when using Windows 8.

Regards

Jean-Pierre

Correct.

Do you mean the sharing on Windows? I never saw that for my data under Windows user profiles. ... and what could be the risk?

And even if there is a disadvantage, the responsibility on using such an additional feature would remain to the user.

Other problems from following your suggestion:
The Linux primary group facility would be blocked for other usage, just only upon the NTFS-mapping.
Additionally the umask settings must be changed to avoid write access from one user to the data of another user.

Well, but Windows XP ... 7 systems do not disapear so soon.

Regards

Hi again,

I did some tries with inherit in fstab and:

Results:
Files created from 1000 on Ubuntu get group SID and on another login -12002, on Ubuntu they appear with gid 1000, looks fine!
Files created from 1001 on Ubuntu get group SID -12003, on Ubuntu they appear with gid 1001, looks fine!
Files created from Windows, on Ubuntu they appear with gid 0, looks fine!
I guess, if I add:
all would behave same except the files created from Windows would appear on Ubuntu with gid 1999, even if I not set 1999 as primary group for 1000/1 on Ubuntu, which would be fine too.

So when it is possible to create SID -12001/2/3 from unmapped gid 1000/1, I do not understand, why it should not be possible to create SID -513.

Regards, Ulf

Correction, I meant:
Files created from 1000 on Ubuntu get group SID -12001 and on another login -12002, ...

Hi,


This is under control of your special last line of UserMapping. When a uid is not mapped, the associated SID is what is shown on this line plus 2*uid, and when a gid is not mapped, the associated SID is what is shown on this line plus 2*gid + 1. For example, VirtualBox require that its users be in group vboxusers. If vboxusers is 497, the corresponding SID would be -10000 + 2*497 + 1 = 10995. Such SIDs are meaningless on Windows and cannot be used for permission interoperability (and VirtualBox on Windows has no vboxusers need).

So, when you get -12002 this is unmapped uid 1001, when you get -12003 this is unmapped gid 1001.


This is because different SIDs must map to different gids and conversely. In other words, when users are in the same Windows group, they must also be in the same Linux primary group; when they are in different Windows groups, they must also be in different Linux primary groups.

Note SID -12002 means uid 1001 (not gid 1001).

Regards

Jean-Pierre

I do not understand this, why is this mandatory?
If there is no UserMapping and no permissions option, all SIDs are mapped to the same gid 0.

Hi,

It is a strong assumption in ntfs-3g that users are organized the same way in Windows and Linux. Otherwise you cannot grant or deny access according to group membership.

And they cannot be translated back to the original SID when a file is copied or edited. So, you cannot filter access to the copy according to its permissions.

Regards

Jean-Pierre