FAQ SearchLogin
Tuxera Home
View unanswered posts | View active topics It is currently Wed Nov 25, 2020 10:02



Post new topic Reply to topic  [ 10 posts ] 
Usermapping Windows Vista <-> Ubuntu 
Author Message

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Usermapping Windows Vista <-> Ubuntu
Hi,
on Ubuntu I have compiled and installed version 2015.3.14.
On http://jp-andre.pagesperso-orange.fr/pe ... sermapping you say one should use:
Code:
# Typical pattern of a user mapping file for Windows 7 and earlier
# All users are in the same primary group
1000::S-1-5-21-1833069642-4243175381-1340018762-1002
1001::S-1-5-21-1833069642-4243175381-1340018762-1008
:500:S-1-5-21-1833069642-4243175381-1340018762-513

On Ubuntu there is no gid 500, so now I don't know which gid I should use here.
On Ubuntu the primary group of each user is different, i.e. is the user itself:
Code:
user1@Ubuntu:~$ id
uid=1000(user1) gid=1000(user1) Gruppen=1000(user1),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
user2@Ubuntu:~$ id
uid=1001(user2) gid=1001(user2) Gruppen=1001(user2),4(adm),24(cdrom),30(dip),46(plugdev),108(lpadmin),124(sambashare)

Do you think the following would help instead:
Code:
::S-1-5-21-1833069642-4243175381-1340018762-10000


Thu Apr 23, 2015 03:02
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Usermapping Windows Vista <-> Ubuntu
Hi,

Quote:
On Ubuntu the primary group of each user is different, i.e. is the user itself

That is the standard Ubuntu situation : each user has his/her own primary group, whose id is the same as the user id.
But on Windows 7 (and earlier), all users are in the same group, so you cannot match them to Ubuntu users created with standard settings. You have to group the users on Ubuntu the same way as they are on Windows. To do that, you have to recreate both users on Ubuntu with the same primary group (for instance gid=1999). You may keep the current uid 1000 and 1001 and gid 1000 and 1001 as supplementary groups, so that you need not change the ownership and permissions of existing files.

This should be something similar to :
Code:
# From memory, make your OWN CHECKS first
# as root :
userdel user1
userdel user2
groupadd -f -g 1999 commongroup
groupadd -f -g 1000 user1
groupadd -f -g 1001 user2
useradd -u 1000 -g 1999 -G 1000 -d /home/user1 user1
passwd user1
useradd -u 1001 -g 1999 -G 1001 -d /home/user2 user2
passwd user2

Doing that, your UserMapping file would probably be :
Code:
1000::S-1-5-21-1833069642-4243175381-1340018762-1002
1001::S-1-5-21-1833069642-4243175381-1340018762-1008
:1999:S-1-5-21-1833069642-4243175381-1340018762-513
::S-1-5-21-1833069642-4243175381-1340018762-10000

The last line is not mandatory, it may help in some circumstances.

As new files created by user1 and user2 will be in the same group, you may want to set umask to 0700 if you do not want users to access other users' files.

Regards

Jean-Pierre


Thu Apr 23, 2015 21:48
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Usermapping Windows Vista <-> Ubuntu
Hi jpa,

thanks for your suggestion.

When solving the problem as you say, I see a another problem.
Doesn't this hurt the security concept of Ubuntu? When all users have the same gid as primary group, then all users have access to the data of the other users, if I understand right.

Another problem is, that the existing data of those users is assigned to there groups 1000/1001, so after changing the primary groups, the access rights situation to the existing data would change too.

So please let me suggest another proposal:
You maybe could add an additional syntax to the usermapping like:
Code:
?:*:S-1-5-21-1833069642-4243175381-1340018762-513

This should be treated as: Map this group SID to the equivalent gid of each users sid.

An alternative could be:
It seems, that the SID S-1-5-21-x-y-z-513 is always the default group SID on Windows. So it may be not explicitly mapped by .NTFT-3G/UserMapping, so it could be implicitly mapped to Ubuntu's gid's if there is no mapping given in .NTFT-3G/UserMapping.
... same as root gid is always implicitly mapped to S-1-5-32-544


Thu Apr 23, 2015 22:51
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Usermapping Windows Vista <-> Ubuntu
Hi,

Quote:
Code:
?:*:S-1-5-21-1833069642-4243175381-1340018762-513

This should be treated as: Map this group SID to the equivalent gid of each users sid.

This is trying to guess the gid from the owner of the file. So this is assuming all permissions are related to the owner or to other, which is a restriction to using groups for sharing files.

Also do not forget the group mapping issue disappears when using Windows 8.

Regards

Jean-Pierre


Fri Apr 24, 2015 20:49
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Usermapping Windows Vista <-> Ubuntu
jpa wrote:
This is trying to guess the gid from the owner of the file.
Correct.

Quote:
So this is assuming all permissions are related to the owner or to other, which is a restriction to using groups for sharing files.
Do you mean the sharing on Windows? I never saw that for my data under Windows user profiles. ... and what could be the risk?

And even if there is a disadvantage, the responsibility on using such an additional feature would remain to the user.

Other problems from following your suggestion:
The Linux primary group facility would be blocked for other usage, just only upon the NTFS-mapping.
Additionally the umask settings must be changed to avoid write access from one user to the data of another user.

Quote:
Also do not forget the group mapping issue disappears when using Windows 8.
Well, but Windows XP ... 7 systems do not disapear so soon.

Regards


Mon Apr 27, 2015 19:30
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Usermapping Windows Vista <-> Ubuntu
Hi again,

I did some tries with inherit in fstab and:
Code:
1000::S-1-5-21-1833069642-4243175381-1340018762-1002
1001::S-1-5-21-1833069642-4243175381-1340018762-1008
::S-1-5-21-1833069642-4243175381-1340018762-10000

Results:
Files created from 1000 on Ubuntu get group SID and on another login -12002, on Ubuntu they appear with gid 1000, looks fine!
Files created from 1001 on Ubuntu get group SID -12003, on Ubuntu they appear with gid 1001, looks fine!
Files created from Windows, on Ubuntu they appear with gid 0, looks fine!
I guess, if I add:
Code:
:1999:S-1-5-21-1833069642-4243175381-1340018762-513
all would behave same except the files created from Windows would appear on Ubuntu with gid 1999, even if I not set 1999 as primary group for 1000/1 on Ubuntu, which would be fine too.

So when it is possible to create SID -12001/2/3 from unmapped gid 1000/1, I do not understand, why it should not be possible to create SID -513.

Regards, Ulf


Fri May 01, 2015 22:24
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Usermapping Windows Vista <-> Ubuntu
Correction, I meant:
Files created from 1000 on Ubuntu get group SID -12001 and on another login -12002, ...


Sat May 02, 2015 18:25
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Usermapping Windows Vista <-> Ubuntu
Hi,

Quote:
Files created from 1000 on Ubuntu get group SID and on another login -12002, on Ubuntu they appear with gid 1000, looks fine!
Files created from 1001 on Ubuntu get group SID -12003, on Ubuntu they appear with gid 1001, looks fine!

This is under control of your special last line of UserMapping. When a uid is not mapped, the associated SID is what is shown on this line plus 2*uid, and when a gid is not mapped, the associated SID is what is shown on this line plus 2*gid + 1. For example, VirtualBox require that its users be in group vboxusers. If vboxusers is 497, the corresponding SID would be -10000 + 2*497 + 1 = 10995. Such SIDs are meaningless on Windows and cannot be used for permission interoperability (and VirtualBox on Windows has no vboxusers need).

So, when you get -12002 this is unmapped uid 1001, when you get -12003 this is unmapped gid 1001.

Quote:
So when it is possible to create SID -12001/2/3 from unmapped gid 1000/1, I do not understand, why it should not be possible to create SID -513.

This is because different SIDs must map to different gids and conversely. In other words, when users are in the same Windows group, they must also be in the same Linux primary group; when they are in different Windows groups, they must also be in different Linux primary groups.

Note SID -12002 means uid 1001 (not gid 1001).

Regards

Jean-Pierre


Mon May 04, 2015 17:29
Profile

Joined: Mon Mar 31, 2014 13:43
Posts: 113
Post Re: Usermapping Windows Vista <-> Ubuntu
jpa wrote:
This is because different SIDs must map to different gids and conversely.

I do not understand this, why is this mandatory?
If there is no UserMapping and no permissions option, all SIDs are mapped to the same gid 0.


Sun May 31, 2015 15:44
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Usermapping Windows Vista <-> Ubuntu
Hi,
Quote:
Quote:
This is because different SIDs must map to different gids and conversely.

I do not understand this, why is this mandatory?

It is a strong assumption in ntfs-3g that users are organized the same way in Windows and Linux. Otherwise you cannot grant or deny access according to group membership.
Quote:
If there is no UserMapping and no permissions option, all SIDs are mapped to the same gid 0.

And they cannot be translated back to the original SID when a file is copied or edited. So, you cannot filter access to the copy according to its permissions.

Regards

Jean-Pierre


Tue Jun 02, 2015 12:25
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin.