X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:subject:to:references:from:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=R72t3sPjMSkYMB1Z W26TijDPX0zJ0q2njoApGoP3dc2EX1ap7h4DKjRb2iRQw2NJ6LPXJvwEanGXKKtu mmTUpIINH4X/RSbzWs/hxEx2T5F++/LHCb7gcQ/eJvcfPS4FLivWox8O2y/xnrtx Yissle2nHYUZNSYZfalLgqw1j1w= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:subject:to:references:from:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; s=default; bh=U0wCWXlYEQIFszPEaV+DE+ H8r3Q=; b=hQEw1DaiR6+hUvYk3rQ6tHaxn/nwymNkYojOpgFdy5UkyEQxjB6JqH 1k967/Aq5fEY72GGrorMWMVMXAwBl40aLMK57Gn+r+QNVTrt2hCBfUJWh4DD9y3j burn3N6Ym3vm3EwJ6YetLbf/v9xmcbSblNKao/6xOrM8ls4GuKmr8= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-4.1 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW,UNSUBSCRIBE_BODY autolearn=ham version=3.3.2 spammy=malware, customize X-HELO: smtp-out-so.shaw.ca X-Authority-Analysis: v=2.2 cv=UpATD64B c=1 sm=1 tr=0 a=WqCeCkldcEjBO3QZneQsCg==:117 a=WqCeCkldcEjBO3QZneQsCg==:17 a=IkcTkHD0fZMA:10 a=w_pzkKWiAAAA:8 a=Sy-11qNdhR2tF9k97ycA:9 a=QEXdDO2ut3YA:10 a=OO2XiV6ZNdAA:10 a=daI9ojH3vpgA:10 a=sRI3_1zDfAgwuvI8zelB:22 Reply-To: Brian DOT Inglis AT SystematicSw DOT ab DOT ca Subject: Re: Accessing SMB share as wrong user? To: cygwin AT cygwin DOT com References: <7f4eb950-de06-2981-c9b4-fd345c11ffb3 AT dd-b DOT net> <940871db-07d8-6528-bef3-f2630a89c505 AT SystematicSw DOT ab DOT ca> <704def19-dfa4-1ebc-512e-fae23199f7a6 AT dd-b DOT net>

From: Brian Inglis Message-ID: <5adfc522-0598-63cb-3834-fb2e2e0638f7@SystematicSw.ab.ca> Date: Mon, 29 May 2017 23:58:51 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4wfC7JOFg2BwyXaXJVgG0IG6iNcYy5yyfXMORkEIUCTrU1ZS/ZdI0DXeCfNAf4QwnL478p6NOsQF8ONVe+tiGBMQfm7Q/cKCXwGEwPnEHNlcwtGlpBAs59 Sy+8ZWcAta7wJyGX6efspx26n66F65ZqekRafq+Hf/01yTQhcgb5a0KchEdHdbtk6tqFqeuoAxtYRA== X-IsSubscribed: yes On 2017-05-29 22:15, David Dyer-Bennet wrote: > On 5/29/2017 22:49, Brian Inglis wrote: >> On 2017-05-29 12:37, David Dyer-Bennet wrote: >>> On 5/29/2017 12:45, Brian Inglis wrote: >>>> On 2017-05-29 11:16, David Dyer-Bennet wrote: >>>>> A simpler case demonstrating this; X0 is a new share (created just >>>>> for testing this) with no prior history, nothing manually set. >>>>> (Server is FreeNAS, current version). >>>>> From the beginning, when it first sees it, it shows the file owners >>>>> and groups weirdly. >>>>> And then it's able to create a file and write to it *once*, but >>>>> can't then append to it??? >>>>> David Dyer-Bennet AT DDB4 //fsfs/x0 >>>>> $ id >>>>> uid=197608(David Dyer-Bennet) gid=197121(None) >>>>> groups=197121(None),197609(Ssh >>>>> Users),545(Users),4(INTERACTIVE),66049(CONSOLE LOGON),11(Authenticated >>>>> Users),15(This Organization),113(Local account),66048(LOCAL),262154(NTLM >>>>> Authentication),401408(Medium Mandatory Level) >>>>> David Dyer-Bennet AT DDB4 //fsfs/x0 >>>>> $ ls -ld . >>>>> drwxrwxr-x+ 1 Unknown+User Unix_Group+1001 0 May 29 11:55 . >>>>> David Dyer-Bennet AT DDB4 //fsfs/x0 >>>>> $ getfacl . >>>>> # file: . >>>>> # owner: Unknown+User >>>>> # group: Unix_Group+1001 >>>>> user::rwx >>>>> group::rwx >>>>> other:r-x >>>>> default:user::rwx >>>>> default:group::rwx >>>>> default:group:Unix_Group+1001:rwx >>>>> default:mask:rwx >>>>> default:other:r-x >>>>> David Dyer-Bennet AT DDB4 //fsfs/x0 >>>>> David Dyer-Bennet AT DDB4 //fsfs/x0 >>>>> David Dyer-Bennet AT DDB4 //fsfs/x0 >>>>> $ echo something > foobar >>>>> David Dyer-Bennet AT DDB4 //fsfs/x0 >>>>> $ ls -l foobar >>>>> ----r--r-- 1 Unknown+User Unix_Group+1001 10 May 29 12:11 foobar >>>>> David Dyer-Bennet AT DDB4 //fsfs/x0 >>>>> $ getfacl foobar >>>>> # file: foobar >>>>> # owner: Unknown+User >>>>> # group: Unix_Group+1001 >>>>> user::--- >>>>> group::r-- >>>>> other:r-- >>>>> David Dyer-Bennet AT DDB4 //fsfs/x0 >>>>> $ echo more >> foobar >>>>> -bash: foobar: Permission denied >>>> >>>> See Cygwin User's Guide section on Switching the user context: >>>> $ cygstart >>>> /usr/share/doc/cygwin-2.8.0/html/cygwin-ug-net/ntsec.html#ntsec-setuid-overview >>>> OR >>>> $ cygstart https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview >>> >>> That appears to be instructions on how to temporarily, in code, act as >>> another user. My problem is that when I create a Bash shell, it >>> accesses network drives as the wrong user. It may be possible for me to >>> write a version of Bash that switches to the right (default) user using >>> that information, but why is it *necessary*? Local drives are accessed >>> fine. >> >> That is the description of what Cygwin does to emulate a user context >> for remote access to shares - you may want to set up and try methods 1, >> 2, and 3 to see what works with your network shares. > > It's never been necessary before; why is it suddenly necessary now? It may be because there were major changes a few? releases ago, to use SAM and AD info and eliminate the need for or use of passwd and group, support nsswitch to customize this, support some customizations allowed with passwd and group in another manner, and support POSIX and Windows ACLs. > And, again, what it is describing is how to do that *temporarily in > code*, not permanently at the command line. It tells you how Cygwin implements security, how to change your environment to use those mapping methods to get access to network shares, the impact, and tradeoffs you may have to make. It describes setting up LSA authentication using cyglsa-config, and using passwd -R, optionally with cygserver, to get access to network shares, and for other uses. >> First step may be to change or remap your userid to one not containing >> spaces using /etc/passwd; see >> https://cygwin.com/faq.html#faq.setup.name-with-space >> then >> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-samba > > Instructions are bad, they refer (in 2.16) to a nonexistent windows > management tool "GUI user manager". The actual tool, the "local users > and groups" tool within "computer management", has no facility to change > a username. Then recreate /etc/passwd and /etc/group, and change what you need, as long as it does not cause a Cygwin conflict with what is in SAM or AD. I am well aware not everything got easier with W7 and W10 changes. Controls and features that could easily be abused by idiots or malware were removed, and replaced by more restrictions, commands, registry manipulation tools, and languages, that made many things harder to do, unless the available GUI did all that you wanted, and you have the privilege to do so. I have some scripts to do from the unprivileged command line what I can otherwise do only via a GUI run as admin! -- -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple