Accessing SMB share as wrong user?

Accessing SMB share as wrong user?

[David Dyer-Bennet]

All my files are on drive P: in Windows, which is an SMB share
equivalent to \\fsfs\ddb\Documents.  Everything works fine in windows
apps, and I see what I expect in Explorer, including when I go down to
security properties and look in detail.

However, Cygwin has trouble with this lately (I can't trace exactly when
it started happening; not weeks, maybe a year, but I've been running
essentially this way since 2006 and most of the time things were fine).

Cygwin appears to be accessing the share as some kind of unknown user,
rather than as the proper user configured in Windows for that share
(which is FSFS\ddb).

In Cygwin "id" shows
$ id
uid=197608(David Dyer-Bennet) gid=197121(None)
groups=197121(None),114(Local account and member of Administrators
group),544(Administrators),545(Users),4(INTERACTIVE),66049(CONSOLE
LOGON),11(Authenticated Users),15(This Organization),113(Local
account),66048(LOCAL),262154(NTLM Authentication),405504(High Mandatory
Level)

but if I create a file it gets created owned by "Unknown+User":
$ touch foobar

David Dyer-Bennet@DDB4 /cygdrive/p
$ ls -l foobar
----r--r-- 1 Unknown+User Unix_Group+1001 0 May 28 17:27 foobar

David Dyer-Bennet@DDB4 /cygdrive/p
$ getfacl foobar
# file: foobar
# owner: Unknown+User
# group: Unix_Group+1001
user::---
group::r--
other:r--

And then of course I can't access it:
$ echo things >> foobar
-bash: foobar: Permission denied

I haven't that I've noticed done anything to change what user I run as;
$USER is "David Dyer-Bennet" (the Windows username I'm in under), and
/etc/passwd has default output from mkpasswd, including the user "David
Dyer-Bennet" with the UID 197608 (same is ID shows at the command line).

At least I can count on people here not answering "just ditch
Cygwin"...right?
-- 
David Dyer-Bennet <dd-b@dd-b.net>
http://dd-b.net/

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Accessing SMB share as wrong user?

[David Dyer-Bennet]

A simpler case demonstrating this; X0 is a new share (created just for
testing this) with no prior history, nothing manually set.  (Server is
FreeNAS, current version).

From the beginning, when it first sees it, it shows the file owners and
groups weirdly.

And then it's able to create a file and write to it *once*, but can't
then append to it???

David Dyer-Bennet@DDB4 //fsfs/x0
$ id
uid=197608(David Dyer-Bennet) gid=197121(None)
groups=197121(None),197609(Ssh
Users),545(Users),4(INTERACTIVE),66049(CONSOLE LOGON),11(Authenticated
Users),15(This Organization),113(Local account),66048(LOCAL),262154(NTLM
Authentication),401408(Medium Mandatory Level)

David Dyer-Bennet@DDB4 //fsfs/x0
$ ls -ld .
drwxrwxr-x+ 1 Unknown+User Unix_Group+1001 0 May 29 11:55 .

David Dyer-Bennet@DDB4 //fsfs/x0
$ getfacl .
# file: .
# owner: Unknown+User
# group: Unix_Group+1001
user::rwx
group::rwx
other:r-x
default:user::rwx
default:group::rwx
default:group:Unix_Group+1001:rwx
default:mask:rwx
default:other:r-x


David Dyer-Bennet@DDB4 //fsfs/x0
$

David Dyer-Bennet@DDB4 //fsfs/x0
$

David Dyer-Bennet@DDB4 //fsfs/x0
$ echo something > foobar

David Dyer-Bennet@DDB4 //fsfs/x0
$ ls -l foobar
----r--r-- 1 Unknown+User Unix_Group+1001 10 May 29 12:11 foobar

David Dyer-Bennet@DDB4 //fsfs/x0
$ getfacl foobar
# file: foobar
# owner: Unknown+User
# group: Unix_Group+1001
user::---
group::r--
other:r--


David Dyer-Bennet@DDB4 //fsfs/x0
$ echo more >> foobar
-bash: foobar: Permission denied

-- 
David Dyer-Bennet <dd-b@dd-b.net>
http://dd-b.net/

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Accessing SMB share as wrong user?

[Brian Inglis]

On 2017-05-29 11:16, David Dyer-Bennet wrote:
> A simpler case demonstrating this; X0 is a new share (created just
> for testing this) with no prior history, nothing manually set.
> (Server is FreeNAS, current version).
> From the beginning, when it first sees it, it shows the file owners 
> and groups weirdly.
> And then it's able to create a file and write to it *once*, but
> can't then append to it???
> David Dyer-Bennet@DDB4 //fsfs/x0
> $ id
> uid=197608(David Dyer-Bennet) gid=197121(None)
> groups=197121(None),197609(Ssh
> Users),545(Users),4(INTERACTIVE),66049(CONSOLE LOGON),11(Authenticated
> Users),15(This Organization),113(Local account),66048(LOCAL),262154(NTLM
> Authentication),401408(Medium Mandatory Level)
> David Dyer-Bennet@DDB4 //fsfs/x0
> $ ls -ld .
> drwxrwxr-x+ 1 Unknown+User Unix_Group+1001 0 May 29 11:55 .
> David Dyer-Bennet@DDB4 //fsfs/x0
> $ getfacl .
> # file: .
> # owner: Unknown+User
> # group: Unix_Group+1001
> user::rwx
> group::rwx
> other:r-x
> default:user::rwx
> default:group::rwx
> default:group:Unix_Group+1001:rwx
> default:mask:rwx
> default:other:r-x
> David Dyer-Bennet@DDB4 //fsfs/x0
> David Dyer-Bennet@DDB4 //fsfs/x0
> David Dyer-Bennet@DDB4 //fsfs/x0
> $ echo something > foobar
> David Dyer-Bennet@DDB4 //fsfs/x0
> $ ls -l foobar
> ----r--r-- 1 Unknown+User Unix_Group+1001 10 May 29 12:11 foobar
> David Dyer-Bennet@DDB4 //fsfs/x0
> $ getfacl foobar
> # file: foobar
> # owner: Unknown+User
> # group: Unix_Group+1001
> user::---
> group::r--
> other:r--
> David Dyer-Bennet@DDB4 //fsfs/x0
> $ echo more >> foobar
> -bash: foobar: Permission denied

See Cygwin User's Guide section on Switching the user context:
$ cygstart
/usr/share/doc/cygwin-2.8.0/html/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
OR
$ cygstart https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Accessing SMB share as wrong user?

[David Dyer-Bennet]

On 5/29/2017 12:45, Brian Inglis wrote:
> On 2017-05-29 11:16, David Dyer-Bennet wrote:
>> A simpler case demonstrating this; X0 is a new share (created just
>> for testing this) with no prior history, nothing manually set.
>> (Server is FreeNAS, current version).
>> From the beginning, when it first sees it, it shows the file owners 
>> and groups weirdly.
>> And then it's able to create a file and write to it *once*, but
>> can't then append to it???
>> David Dyer-Bennet@DDB4 //fsfs/x0
>> $ id
>> uid=197608(David Dyer-Bennet) gid=197121(None)
>> groups=197121(None),197609(Ssh
>> Users),545(Users),4(INTERACTIVE),66049(CONSOLE LOGON),11(Authenticated
>> Users),15(This Organization),113(Local account),66048(LOCAL),262154(NTLM
>> Authentication),401408(Medium Mandatory Level)
>> David Dyer-Bennet@DDB4 //fsfs/x0
>> $ ls -ld .
>> drwxrwxr-x+ 1 Unknown+User Unix_Group+1001 0 May 29 11:55 .
>> David Dyer-Bennet@DDB4 //fsfs/x0
>> $ getfacl .
>> # file: .
>> # owner: Unknown+User
>> # group: Unix_Group+1001
>> user::rwx
>> group::rwx
>> other:r-x
>> default:user::rwx
>> default:group::rwx
>> default:group:Unix_Group+1001:rwx
>> default:mask:rwx
>> default:other:r-x
>> David Dyer-Bennet@DDB4 //fsfs/x0
>> David Dyer-Bennet@DDB4 //fsfs/x0
>> David Dyer-Bennet@DDB4 //fsfs/x0
>> $ echo something > foobar
>> David Dyer-Bennet@DDB4 //fsfs/x0
>> $ ls -l foobar
>> ----r--r-- 1 Unknown+User Unix_Group+1001 10 May 29 12:11 foobar
>> David Dyer-Bennet@DDB4 //fsfs/x0
>> $ getfacl foobar
>> # file: foobar
>> # owner: Unknown+User
>> # group: Unix_Group+1001
>> user::---
>> group::r--
>> other:r--
>> David Dyer-Bennet@DDB4 //fsfs/x0
>> $ echo more >> foobar
>> -bash: foobar: Permission denied
> 
> See Cygwin User's Guide section on Switching the user context:
> $ cygstart
> /usr/share/doc/cygwin-2.8.0/html/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
> OR
> $ cygstart https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview

That appears to be instructions on how to temporarily, in code, act as
another user.  My problem is that when I create a Bash shell, it
accesses network drives as the wrong user.  It may be possible for me to
write a version of Bash that switches to the right (default) user using
that information, but why is it *necessary*?  Local drives are accessed
fine.



-- 
David Dyer-Bennet <dd-b@dd-b.net>
http://dd-b.net/

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Accessing SMB share as wrong user?

[Andrey Repin]

Greetings, David Dyer-Bennet!

> All my files are on drive P: in Windows, which is an SMB share
> equivalent to \\fsfs\ddb\Documents.  Everything works fine in windows
> apps, and I see what I expect in Explorer, including when I go down to
> security properties and look in detail.

> However, Cygwin has trouble with this lately (I can't trace exactly when
> it started happening; not weeks, maybe a year, but I've been running
> essentially this way since 2006 and most of the time things were fine).

> Cygwin appears to be accessing the share as some kind of unknown user,
> rather than as the proper user configured in Windows for that share
> (which is FSFS\ddb).

> In Cygwin "id" shows
> $ id
> uid=197608(David Dyer-Bennet) gid=197121(None)
> groups=197121(None),

> 114(Local account and member of Administrators group),
> 544(Administrators),

You're running Cygwin with elevated privileges.

> 545(Users),4(INTERACTIVE),66049(CONSOLE
> LOGON),11(Authenticated Users),15(This Organization),113(Local
> account),66048(LOCAL),262154(NTLM Authentication),405504(High Mandatory
> Level)

> but if I create a file it gets created owned by "Unknown+User":
> $ touch foobar

> David Dyer-Bennet@DDB4 /cygdrive/p
> $ ls -l foobar
> ----r--r-- 1 Unknown+User Unix_Group+1001 0 May 28 17:27 foobar

> David Dyer-Bennet@DDB4 /cygdrive/p
> $ getfacl foobar
> # file: foobar
> # owner: Unknown+User
> # group: Unix_Group+1001

Your share is located on Samba server.

> user::---
> group::r--
> other:r--

> And then of course I can't access it:
> $ echo things >> foobar
> -bash: foobar: Permission denied

See Cygwin manual about setting up your network identity.
Read around nsswitch.conf and implications of its different settings.

> I haven't that I've noticed done anything to change what user I run as;
> $USER is "David Dyer-Bennet" (the Windows username I'm in under), and
> /etc/passwd has default output from mkpasswd,

Ditch /etc/passwd unless you absolutely require it.

> including the user "David
> Dyer-Bennet" with the UID 197608 (same is ID shows at the command line).

> At least I can count on people here not answering "just ditch
> Cygwin"...right?

And please leave ramblings outside the list. This was absolutely uncalled for.


-- 
With best regards,
Andrey Repin
Monday, May 29, 2017 22:49:56

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Accessing SMB share as wrong user?

[David Dyer-Bennet]

On 5/29/2017 14:53, Andrey Repin wrote:
> Greetings, David Dyer-Bennet!
> 
>> All my files are on drive P: in Windows, which is an SMB share
>> equivalent to \\fsfs\ddb\Documents.  Everything works fine in windows
>> apps, and I see what I expect in Explorer, including when I go down to
>> security properties and look in detail.
> 
>> However, Cygwin has trouble with this lately (I can't trace exactly when
>> it started happening; not weeks, maybe a year, but I've been running
>> essentially this way since 2006 and most of the time things were fine).
> 
>> Cygwin appears to be accessing the share as some kind of unknown user,
>> rather than as the proper user configured in Windows for that share
>> (which is FSFS\ddb).
> 
>> In Cygwin "id" shows
>> $ id
>> uid=197608(David Dyer-Bennet) gid=197121(None)
>> groups=197121(None),
> 
>> 114(Local account and member of Administrators group),
>> 544(Administrators),
> 
> You're running Cygwin with elevated privileges.

I guess so; I had one window each way, doesn't make a difference which
window I was in for this so it's not part of the problem or solution.

>> 545(Users),4(INTERACTIVE),66049(CONSOLE
>> LOGON),11(Authenticated Users),15(This Organization),113(Local
>> account),66048(LOCAL),262154(NTLM Authentication),405504(High Mandatory
>> Level)
> 
>> but if I create a file it gets created owned by "Unknown+User":
>> $ touch foobar
> 
>> David Dyer-Bennet@DDB4 /cygdrive/p
>> $ ls -l foobar
>> ----r--r-- 1 Unknown+User Unix_Group+1001 0 May 28 17:27 foobar
> 
>> David Dyer-Bennet@DDB4 /cygdrive/p
>> $ getfacl foobar
>> # file: foobar
>> # owner: Unknown+User
>> # group: Unix_Group+1001
> 
> Your share is located on Samba server.
> 
>> user::---
>> group::r--
>> other:r--

Specifically, FreeNAS.  (No domain controller, though.)

>> And then of course I can't access it:
>> $ echo things >> foobar
>> -bash: foobar: Permission denied
> 
> See Cygwin manual about setting up your network identity.
> Read around nsswitch.conf and implications of its different settings.

Thanks, I'll follow that up.

>> I haven't that I've noticed done anything to change what user I run as;
>> $USER is "David Dyer-Bennet" (the Windows username I'm in under), and
>> /etc/passwd has default output from mkpasswd,
> 
> Ditch /etc/passwd unless you absolutely require it.

Huh; thought it was needed.  I don't think I'm *using* it in any way.
Is it important to delete the actual file?

>> including the user "David
>> Dyer-Bennet" with the UID 197608 (same is ID shows at the command line).
> 
>> At least I can count on people here not answering "just ditch
>> Cygwin"...right?
> 
> And please leave ramblings outside the list. This was absolutely uncalled for.

Um...a little pleasant remark about this being the home turf of Cygwin
is out of place?  If so, sorry!
-- 
David Dyer-Bennet <dd-b@dd-b.net>
http://dd-b.net/

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Accessing SMB share as wrong user?

[David Dyer-Bennet]

On 5/29/2017 14:53, Andrey Repin wrote:
> Greetings, David Dyer-Bennet!
>
>> And then of course I can't access it:
>> $ echo things >> foobar
>> -bash: foobar: Permission denied
>
> See Cygwin manual about setting up your network identity.
> Read around nsswitch.conf and implications of its different settings.

Okay, the detailed info on account mapping and nsswitch.conf looked like
it ought to address this situation, but it doesn't actually seem to
change anything.  But the documentation is *exceedingly* unclear, the
examples incomplete, and there's no info on easy ways to check if it's
working or not, so I may be wrong.

I have deleted /etc/passwd.  /etc/nsswitch is the default (all
comments), meaning it should be doing the default thing (in particular
it should behave as if "passwd: files db" and "group: files db" were
present; those are the defaults).

Using the Windows Computer Management utility I was able to add Cygwin
SAM comment entries to my Windows user account giving the proper Unix
UID for my account on the server, and the group. And I can see that data
come back from the Windows cmd.com using net user "David Dyer-Bennet":

C:\Windows\System32>net user "David Dyer-Bennet"
User name                    David Dyer-Bennet
Full Name
Comment                      <cygwin unix="1001" group="users"/>
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            7/11/2015 20:29:50
Password expires             Never
Password changeable          7/11/2015 20:29:50
Password required            No
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   5/29/2017 16:06:34

Logon hours allowed          All

Local Group Memberships      *Administrators       *Ssh Users
Global Group memberships     *None
The command completed successfully.

So, I *think* I've got it set the way the documentation says (as I said,
I'm running a Samba server, but no AD or LDAP; that case is specifically
addressed in the documentation you point me to, and I think I've
followed that part of the instructions).

(The text in the doc isn't really clear on what number I put in the
unix="nnn" bit in the Cygwin comment, but the examples show a simple
small integer in the range commonly used for actual Unix UIDs, and that
makes sense, so I think I'm doing the right thing there.)

Oh, and 1001 is the correct UID for me on the SAMBA server, I
double-checked that.

What with one thing and another I even ended up rebooting the Windows
box after setting all that up (not, I believe, necessary; just starting
a new Cygwin process tree should I think be adequate for these changes,
but I *did* in fact reboot the whole box).

And, after reboot, my user id in Cygwin is still based on my Windows SID
(the last tuple), and my access to the files on the server behaves
exactly as before.

"This used to work," as they say. I've used Samba to export files from
Linux, Solaris (the built-in CIFS there actually, not SAMBA), and
FreeBSD servers, and accessed them from Windows and from Cygwin for more
than a decade.  Started being weird in the last year or two I think,
taken me this long to track it down in this much detail (I was figuring
the trouble was on the other end for a long time, but I've basically
eliminated that).  And the presence of this stuff in the documentation
indicates that there *is* something I need to do in Windows to make this
work.

Is anybody actually using this exact mode, SAMBA but no domain
controller, to a windows box, then accessing those shares via Cygwin?
How are you doing it?

Any suggestions on gathering more relevant information?
-- 
David Dyer-Bennet <dd-b@dd-b.net>
http://dd-b.net/

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Accessing SMB share as wrong user?

[Brian Inglis]

On 2017-05-29 12:37, David Dyer-Bennet wrote:
> On 5/29/2017 12:45, Brian Inglis wrote:
>> On 2017-05-29 11:16, David Dyer-Bennet wrote:
>>> A simpler case demonstrating this; X0 is a new share (created just
>>> for testing this) with no prior history, nothing manually set.
>>> (Server is FreeNAS, current version).
>>> From the beginning, when it first sees it, it shows the file owners 
>>> and groups weirdly.
>>> And then it's able to create a file and write to it *once*, but
>>> can't then append to it???
>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>> $ id
>>> uid=197608(David Dyer-Bennet) gid=197121(None)
>>> groups=197121(None),197609(Ssh
>>> Users),545(Users),4(INTERACTIVE),66049(CONSOLE LOGON),11(Authenticated
>>> Users),15(This Organization),113(Local account),66048(LOCAL),262154(NTLM
>>> Authentication),401408(Medium Mandatory Level)
>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>> $ ls -ld .
>>> drwxrwxr-x+ 1 Unknown+User Unix_Group+1001 0 May 29 11:55 .
>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>> $ getfacl .
>>> # file: .
>>> # owner: Unknown+User
>>> # group: Unix_Group+1001
>>> user::rwx
>>> group::rwx
>>> other:r-x
>>> default:user::rwx
>>> default:group::rwx
>>> default:group:Unix_Group+1001:rwx
>>> default:mask:rwx
>>> default:other:r-x
>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>> $ echo something > foobar
>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>> $ ls -l foobar
>>> ----r--r-- 1 Unknown+User Unix_Group+1001 10 May 29 12:11 foobar
>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>> $ getfacl foobar
>>> # file: foobar
>>> # owner: Unknown+User
>>> # group: Unix_Group+1001
>>> user::---
>>> group::r--
>>> other:r--
>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>> $ echo more >> foobar
>>> -bash: foobar: Permission denied
>>
>> See Cygwin User's Guide section on Switching the user context:
>> $ cygstart
>> /usr/share/doc/cygwin-2.8.0/html/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
>> OR
>> $ cygstart https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
> 
> That appears to be instructions on how to temporarily, in code, act as
> another user.  My problem is that when I create a Bash shell, it
> accesses network drives as the wrong user.  It may be possible for me to
> write a version of Bash that switches to the right (default) user using
> that information, but why is it *necessary*?  Local drives are accessed
> fine.

That is the description of what Cygwin does to emulate a user context
for remote access to shares - you may want to set up and try methods 1,
2, and 3 to see what works with your network shares.

First step may be to change or remap your userid to one not containing
spaces using /etc/passwd; see
	https://cygwin.com/faq.html#faq.setup.name-with-space
then
	https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-samba

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Accessing SMB share as wrong user?

[David Dyer-Bennet]

On 5/29/2017 22:49, Brian Inglis wrote:
> On 2017-05-29 12:37, David Dyer-Bennet wrote:
>> On 5/29/2017 12:45, Brian Inglis wrote:
>>> On 2017-05-29 11:16, David Dyer-Bennet wrote:
>>>> A simpler case demonstrating this; X0 is a new share (created just
>>>> for testing this) with no prior history, nothing manually set.
>>>> (Server is FreeNAS, current version).
>>>> From the beginning, when it first sees it, it shows the file owners 
>>>> and groups weirdly.
>>>> And then it's able to create a file and write to it *once*, but
>>>> can't then append to it???
>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>> $ id
>>>> uid=197608(David Dyer-Bennet) gid=197121(None)
>>>> groups=197121(None),197609(Ssh
>>>> Users),545(Users),4(INTERACTIVE),66049(CONSOLE LOGON),11(Authenticated
>>>> Users),15(This Organization),113(Local account),66048(LOCAL),262154(NTLM
>>>> Authentication),401408(Medium Mandatory Level)
>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>> $ ls -ld .
>>>> drwxrwxr-x+ 1 Unknown+User Unix_Group+1001 0 May 29 11:55 .
>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>> $ getfacl .
>>>> # file: .
>>>> # owner: Unknown+User
>>>> # group: Unix_Group+1001
>>>> user::rwx
>>>> group::rwx
>>>> other:r-x
>>>> default:user::rwx
>>>> default:group::rwx
>>>> default:group:Unix_Group+1001:rwx
>>>> default:mask:rwx
>>>> default:other:r-x
>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>> $ echo something > foobar
>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>> $ ls -l foobar
>>>> ----r--r-- 1 Unknown+User Unix_Group+1001 10 May 29 12:11 foobar
>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>> $ getfacl foobar
>>>> # file: foobar
>>>> # owner: Unknown+User
>>>> # group: Unix_Group+1001
>>>> user::---
>>>> group::r--
>>>> other:r--
>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>> $ echo more >> foobar
>>>> -bash: foobar: Permission denied
>>>
>>> See Cygwin User's Guide section on Switching the user context:
>>> $ cygstart
>>> /usr/share/doc/cygwin-2.8.0/html/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
>>> OR
>>> $ cygstart https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
>>
>> That appears to be instructions on how to temporarily, in code, act as
>> another user.  My problem is that when I create a Bash shell, it
>> accesses network drives as the wrong user.  It may be possible for me to
>> write a version of Bash that switches to the right (default) user using
>> that information, but why is it *necessary*?  Local drives are accessed
>> fine.
> 
> That is the description of what Cygwin does to emulate a user context
> for remote access to shares - you may want to set up and try methods 1,
> 2, and 3 to see what works with your network shares.

It's never been necessary before; why is it suddenly necessary now?
And, again, what it is describing is how to do that *temporarily in
code*, not permanently at the command line.

> First step may be to change or remap your userid to one not containing
> spaces using /etc/passwd; see
> 	https://cygwin.com/faq.html#faq.setup.name-with-space
> then
> 	https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-samba

Instructions are bad, they refer (in 2.16) to a nonexistent windows
management tool "GUI user manager".  The actual tool, the "local users
and groups" tool within "computer management", has no facility to change
a username.
-- 
David Dyer-Bennet <dd-b@dd-b.net>
http://dd-b.net/

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Accessing SMB share as wrong user?

[Brian Inglis]

On 2017-05-29 22:15, David Dyer-Bennet wrote:
> On 5/29/2017 22:49, Brian Inglis wrote:
>> On 2017-05-29 12:37, David Dyer-Bennet wrote:
>>> On 5/29/2017 12:45, Brian Inglis wrote:
>>>> On 2017-05-29 11:16, David Dyer-Bennet wrote:
>>>>> A simpler case demonstrating this; X0 is a new share (created just
>>>>> for testing this) with no prior history, nothing manually set.
>>>>> (Server is FreeNAS, current version).
>>>>> From the beginning, when it first sees it, it shows the file owners 
>>>>> and groups weirdly.
>>>>> And then it's able to create a file and write to it *once*, but
>>>>> can't then append to it???
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> $ id
>>>>> uid=197608(David Dyer-Bennet) gid=197121(None)
>>>>> groups=197121(None),197609(Ssh
>>>>> Users),545(Users),4(INTERACTIVE),66049(CONSOLE LOGON),11(Authenticated
>>>>> Users),15(This Organization),113(Local account),66048(LOCAL),262154(NTLM
>>>>> Authentication),401408(Medium Mandatory Level)
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> $ ls -ld .
>>>>> drwxrwxr-x+ 1 Unknown+User Unix_Group+1001 0 May 29 11:55 .
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> $ getfacl .
>>>>> # file: .
>>>>> # owner: Unknown+User
>>>>> # group: Unix_Group+1001
>>>>> user::rwx
>>>>> group::rwx
>>>>> other:r-x
>>>>> default:user::rwx
>>>>> default:group::rwx
>>>>> default:group:Unix_Group+1001:rwx
>>>>> default:mask:rwx
>>>>> default:other:r-x
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> $ echo something > foobar
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> $ ls -l foobar
>>>>> ----r--r-- 1 Unknown+User Unix_Group+1001 10 May 29 12:11 foobar
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> $ getfacl foobar
>>>>> # file: foobar
>>>>> # owner: Unknown+User
>>>>> # group: Unix_Group+1001
>>>>> user::---
>>>>> group::r--
>>>>> other:r--
>>>>> David Dyer-Bennet@DDB4 //fsfs/x0
>>>>> $ echo more >> foobar
>>>>> -bash: foobar: Permission denied
>>>>
>>>> See Cygwin User's Guide section on Switching the user context:
>>>> $ cygstart
>>>> /usr/share/doc/cygwin-2.8.0/html/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
>>>> OR
>>>> $ cygstart https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
>>>
>>> That appears to be instructions on how to temporarily, in code, act as
>>> another user.  My problem is that when I create a Bash shell, it
>>> accesses network drives as the wrong user.  It may be possible for me to
>>> write a version of Bash that switches to the right (default) user using
>>> that information, but why is it *necessary*?  Local drives are accessed
>>> fine.
>>
>> That is the description of what Cygwin does to emulate a user context
>> for remote access to shares - you may want to set up and try methods 1,
>> 2, and 3 to see what works with your network shares.
> 
> It's never been necessary before; why is it suddenly necessary now?

It may be because there were major changes a few? releases ago, to use
SAM and AD info and eliminate the need for or use of passwd and group,
support nsswitch to customize this, support some customizations allowed
with passwd and group in another manner, and support POSIX and Windows
ACLs.

> And, again, what it is describing is how to do that *temporarily in
> code*, not permanently at the command line.

It tells you how Cygwin implements security, how to change your
environment to use those mapping methods to get access to network
shares, the impact, and tradeoffs you may have to make. It describes
setting up LSA authentication using cyglsa-config, and using passwd -R,
optionally with cygserver, to get access to network shares, and for
other uses.

>> First step may be to change or remap your userid to one not containing
>> spaces using /etc/passwd; see
>> 	https://cygwin.com/faq.html#faq.setup.name-with-space
>> then
>> 	https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-samba
> 
> Instructions are bad, they refer (in 2.16) to a nonexistent windows
> management tool "GUI user manager".  The actual tool, the "local users
> and groups" tool within "computer management", has no facility to change
> a username.

Then recreate /etc/passwd and /etc/group, and change what you need, as
long as it does not cause a Cygwin conflict with what is in SAM or AD.

I am well aware not everything got easier with W7 and W10 changes.
Controls and features that could easily be abused by idiots or malware
were removed, and replaced by more restrictions, commands, registry
manipulation tools, and languages, that made many things harder to do,
unless the available GUI did all that you wanted, and you have the
privilege to do so. I have some scripts to do from the unprivileged
command line what I can otherwise do only via a GUI run as admin!

-- 
-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Accessing SMB share as wrong user?

[Andrey Repin]

Greetings, David Dyer-Bennet!

>> First step may be to change or remap your userid to one not containing
>> spaces using /etc/passwd; see
>>       https://cygwin.com/faq.html#faq.setup.name-with-space
>> then
>>       https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-samba

> Instructions are bad, they refer (in 2.16) to a nonexistent windows
> management tool "GUI user manager".  The actual tool, the "local users
> and groups" tool within "computer management", has no facility to change
> a username.

Documentation refers to a full version of the tool - lusrmgr.msc.


-- 
With best regards,
Andrey Repin
Tuesday, May 30, 2017 17:29:42

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple