I've got it almost all working except newly created files & directories always have the group "root," though they have the correct owner (the unix logged in user). After the file or dir is created, chown or chgrp do work, so that I can change the group from root to my desired group, but I can't get it to happen by default when the file gets created.

I have read the manual and the "Advanced" page 20 times, I've tried all kinds of permutations. I am now more confused than ever.

I'm using Linux Mint 13 and have installed the standard package (latest version from January 2012).

I am using the .NTFS-3g/UserMapping file, and it seems to be ok, because the group and owner of pre-existing files gets mapped & displayed correctly.

The mount point directory listing (before mounting) looks as follows:
drwxrwsrwx 1 myusername mygroupname 8192 Jun 9 16:57 IBM500G

The mount command is as as follows:
sudo ntfs-3g -o permissions,inherit,windows_names,locale=en_US.UTF-8 /dev/sdb1 /media/IBM500G/

But then, logged in as me, not root:
cat xxx > myNewFile.txt
ls -l
results in
-rw-rw-rw- 1 myusername root 736 Jun 9 17:48 myNewFile.txt

I can then do
chgrp mygroupname myNewFile.txt
ls -l
which results in
-rw-rw-rw- 1 myusername mygroupname 736 Jun 9 17:48 myNewFile.txt

What could I be missing so that the 'cat xxx > myNewFile.txt' produces a file with ownership myusername:mygroupname in the first place, so that I don't need to do the subsequent chgrp?
Thanks.

Hi,


Please post your UserMapping file. You can hide the middle numbers is the SIDs if you wish (but not really useful).

You are using the Windows inheritance scheme, so the permissions depend on how the parent directories are configured. However this should have no effect on owner and group.
Can you make a try without the inherit option ?

Please post the output of the command "id" in the same conditions as when creating a new file.

If the group is correct when you remove the inherit option, please indicate which Windows version was used to create the parent directory, and post the ACL of the parent directory and the one of a file created with the inherit option.


Regards

Jean-Pierre

Hi,
Thank you for the quick response.

UserMapping file:
# Generated by usermap for Windows, v 1.1.2
# For Windows account "myname" in domain "JQUAD"
# Replace "user" and "group" hereafter by matching Linux login
myname::S-1-5-21-299502267-1614895754-839522115-1003
mywife::S-1-5-21-299502267-1614895754-839522115-1004
urfamily:S-1-5-21-299502267-1614895754-839522115-513
urfamily:S-1-5-21-299502267-1614895754-839522115-1006
#:ourfamily:S-1-5-32-544

Note: I believe the first "ourfamily" above is the relevant one to this discussion. The second "ourfamily" was from files from another drive. (If possible I'd like to have one UserMapping file for all my drives instead of having to customize for each one).


Result of `id`:
$ id
uid=1000(myname) gid=1000(myname) groups=1000(myname),4(adm),6(disk),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),111(vboxusers),127(sambashare),1002(ourfamily)


Trying it without inherit:
$ sudo ntfs-3g -o permissions,windows_names,locale=en_US.UTF-8 /dev/sdb1 /media/IBM500G/
ls -l > fileNoInherit.txt
ls -l
-rw-r--r-- 1 root root 510 Jun 10 09:51 fileNoInherit.txt

Result: now neither the group nor the owner are correct.


Permissions were initially set in Windows XP, all latest patches applied. That system, however, crashed, and I don't have "quick access" to it. I do have an image backup, however, and can restore from disk image if you need me to do experiments.

One point that may or may not be significant: I saw in a forum post that the group "Everyone" may cause problems. At first I was not getting access to read the files from unix at all, and I "solved" the issue by, in Windows, at the top level of the drive, adding the group Everyone and giving it Full Control, along with checking the box for "Replace permission entries on all child objects ..."

I don't know why I did the following, but I thought it would not hurt and would "look cleaner" -- in Windows, I removed every other group except ourfamily and Everyone, giving both groups "Full access" and checking both "Inherit from parent.." and the "Replace...on all child objects.." checkboxes.



Results of secaudit
--------------------
(1) Unmount and remount using the inherit option.
(1a) Parent directory
$ ls -l ..
drwxrwsrwx 1 myname ourfamily 8192 Jun 10 09:54 IBM500G

$ sudo ntfs-3g.secaudit -v /media/IBM500G/
secaudit 1.3.22 : NTFS security data auditing
Directory /media/IBM500G/
000000 01000490 a8000000 c4000000 00000000
000010 14000000 02009400 06000000 01091400
000020 20000000 01010000 00000001 00000000
000030 00032400 ff011f00 01050000 00000005
000040 15000000 bb0ada11 8a5a4160 43170a32
000050 eb030000 00031400 ff011200 01010000
000060 00000001 00000000 00031800 bf011f00
000070 01020000 00000005 20000000 20020000
000080 00031400 bf011f00 01010000 00000005
000090 12000000 00041400 02000000 01010000
0000a0 00000000 00000000 01050000 00000005
0000b0 15000000 bb0ada11 8a5a4160 43170a32
0000c0 eb030000 01050000 00000005 15000000
0000d0 bb0ada11 8a5a4160 43170a32 01020000
Computed hash : 0xd5ae1f9d
Windows attrib : 0x36
Interpreted Unix owner 1000, group 1002, mode 02777
No errors were found


(1b) File created with inherit option
$ ls -l myNewFile.txt
-rw-rw-rw- 1 myname root 569 Jun 10 09:54 myNewFile.txt

$ sudo ntfs-3g.secaudit -v myNewFile.txt
secaudit 1.3.22 : NTFS security data auditing
File myNewFile.txt
000000 01000480 94000000 b0000000 00000000
000010 14000000 02008000 05000000 01001400
000020 20000000 01010000 00000001 00000000
000030 00002400 ff011f00 01050000 00000005
000040 15000000 bb0ada11 8a5a4160 43170a32
000050 eb030000 00001400 ff011200 01010000
000060 00000001 00000000 00001800 bf011f00
000070 01020000 00000005 20000000 20020000
000080 00001400 bf011f00 01010000 00000005
000090 12000000 01050000 00000005 15000000
0000a0 bb0ada11 8a5a4160 43170a32 eb030000
0000b0 01020000 00000005 20000000 20020000
Computed hash : 0x2737ef68
Windows attrib : 0x20
Interpreted Unix owner 1000, group 0, mode 0666
No errors were found

(2) Unmount and remount without the inherit option.
(2a) Parent directory
$ ls -l ..
drwxrwsrwx 1 myname ourfamily 8192 Jun 10 09:54 IBM500G (same result as w/inherit)

$ sudo ntfs-3g.secaudit -v /media/IBM500G/ (same same result as w/inherit)
secaudit 1.3.22 : NTFS security data auditing
Directory /media/IBM500G/
000000 01000490 a8000000 c4000000 00000000
000010 14000000 02009400 06000000 01091400
000020 20000000 01010000 00000001 00000000
000030 00032400 ff011f00 01050000 00000005
000040 15000000 bb0ada11 8a5a4160 43170a32
000050 eb030000 00031400 ff011200 01010000
000060 00000001 00000000 00031800 bf011f00
000070 01020000 00000005 20000000 20020000
000080 00031400 bf011f00 01010000 00000005
000090 12000000 00041400 02000000 01010000
0000a0 00000000 00000000 01050000 00000005
0000b0 15000000 bb0ada11 8a5a4160 43170a32
0000c0 eb030000 01050000 00000005 15000000
0000d0 bb0ada11 8a5a4160 43170a32 01020000
Computed hash : 0xd5ae1f9d
Windows attrib : 0x36
Interpreted Unix owner 1000, group 1002, mode 02777
No errors were found



(2b) File created without inherit option
$ ls -l fileNoInherit.txt
-rw-r--r-- 1 root root 684 Jun 10 10:17 fileNoInherit.txt

$ sudo ntfs-3g.secaudit -v fileNoInherit.txt
secaudit 1.3.22 : NTFS security data auditing
File fileNoInherit.txt
000000 01000490 8c000000 9c000000 00000000
000010 14000000 02007800 05000000 00041800
000020 9f011f00 01020000 00000005 20000000
000030 20020000 00041800 89001200 01020000
000040 00000005 20000000 20020000 00041400
000050 89001200 01010000 00000001 00000000
000060 00041800 bf011f00 01020000 00000005
000070 20000000 20020000 00041400 bf011f00
000080 01010000 00000005 12000000 01020000
000090 00000005 20000000 20020000 01020000
0000a0 00000005 20000000 20020000
Computed hash : 0x907f6d95
Windows attrib : 0x20
Interpreted Unix owner 0, group 0, mode 0644
No errors were found

Thanks for your help.
Jorge

Hi again


This is acceptable. There are two definitions for ourfamily, both SIDs will be interpreted the same way, and only the one ending in 513 will be used when creating files.
The last one, which you have commented, is wrong. Only user-type SID can be mapped.
I recommend adding a final line to catch unmapped users :
::S-1-5-21-299502267-1614895754-839522115-10000


You may keep the one ending in 1006 if you have a real need. Always put the one ending in 513 before.


In this directory the set-group-id bit is set (see the 's' instead of 'x' in the group permissions). This directory was created by Linux (or its permissions were changed by Linux). The set-group-id is a concept which does not exist in Windows, and this causes a bad Windows-type inheritance.


See the permissions as 02777. Was this intentional ?
If intentional, what is the purpose ? This is not compatible with Windows.
If not intentional, do a chmod 0777 (or 0775) on this directory.

As a rule of thumb, use inherit only within directories created by Windows (or from directories created by Linux with Windows inheritance from a directory created by Windows), and do not apply chmod or chown to such directories, this would be contradictory with inheritance.


I have retried this, and I get the expected result (with the set-group-id set on parent directory). This looks like you created the file as root. Can you please retry ?

Regards

Jean-Pierre

Hi again,

I have found another problem : you have mapped your group with the name "ourfamily" :

But on your account, your main group is named "myname", and this is an unmapped group

As it is an unmapped group, root is used instead.

To define ourfamily as your main group, you have to use "useradd" with option -g, you may keep myname as a supplementary group (option -G), but files are always created with the main group.

Regards

Jean-Pierre

Hi,
Aha. I think you've hit it on the nail as to why the group is being set to root on new files -- it's using my unix main group (also called myname) and it's not mapped. I'll explain what I was thinking.

I had set the set-group-id bit on the parent directory and changed it to group ourfamily on purpose. I was trying to follow https://wiki.ubuntu.com/MultiUserManagement. As I understand:
* primary group of created users is by default a user private group (UPG) ... where the primary group of the user has the same name and ID of the user, without the user explicitly listed as a member in /etc/group.
* files are created with GROUP write access by default, and group of new files is either:
* the UPG of the user if the parent's set-group-id is not set
* the parent's group if the parent's set-group-id is set.
* Thus, to create a shared workspace/directory, one changes the group of the directory and sets the set-group-id bit. Any new files created in that directory then get owner=me group=that directory's group, and everyone in the group gets write access to the directory.

My needs are not overly complex, I hope. I need to have private directories, and shared directories for any given group. Any person in the group should by default have write access to the shared directory as well as to all files created in that shared directory. My primary working OS is now linux, but the drive needs to be readable (and permissions respected) by Windows users in a dual-boot system. Thus the need for NTFS.

A UPG system is good enough for me -- I don't need all the complexity/flexibility of Windows or unix ACLs, and seems simpler to manage. So perhaps the question I should be asking is "how do I set up permissions initially in Windows so that the UPG system works when the NTFS drive is accessed through ntfs-3g?" If using UPG is not a good idea, what is the recommended approach?

The 3rd line of the UserMapping file maps "ourfamily" because the -513 is a group called "ourfamily" in Windows. As you noted, in my linux account my main group is "myname", as required by the UPG scheme. I cannot change that, or else the UPG scheme would not work in my unix drives. Also, I did not "map" the group "myname" because the documentation for UserMapping said not to define both a user and a group with the same windows SID.
* So perhaps, and I recognize this sounds and would look weird, I should try to do something similar to UPG in Windows itself, i.e. create a windows group also called myname, so that, in windows there will be a user myname, and also a group called myname. I can then grant group myname access to my directories, and since that group will have a different Windows SID, I can add that to the UserMapping file.


I'm confused by your comment:
"As a rule of thumb, use inherit only within directories created by Windows (or from directories created by Linux with Windows inheritance from a directory created by Windows), and do not apply chmod or chown to such directories, this would be contradictory with inheritance."

* If I use inherit at the very top level of the drive, and "Replace...on all child objects..", then every directory created on that drive ever after would have "inherit." If I want to change which group has access rights to an NTFS directory, then I would have to turn off inherit (is there a way to do that from within Linux?). But if I can't use chown, so that I can't change the "group" of a directory, how do I then change which group has access rights to an NTFS directory from within Linux?
* If I don't mount with inherit, then right now the owner of all new files is root.
> This looks like you created the file as root. Can you please retry ?
I created that file logged in as me, not root. I just retried it and it happened again -- if I mount without inheritance, the owner of a new file is root. I verified with `whoami`.

Finally, I will add a final line to UserMapping per your recommendation.
Thanks!
Jorge

Hi,


Ok, this is reasonable.

Do you have the same groups on Windows (myname, mywife and ourfamily) or do you have a single group (ourfamily), in which case the groups myname and mywife will give no access on Windows ?

You may map myname to a different SID, normally the main group defined in Windows for the same user. If you put a default mapping line, you will get an artificial SID which will not be honored by Windows.

That is worth trying, however an upgrade is necessary to implement the UPG scheme in ntfs-3g. Can you recompile ntfs-3g if I send you a patch ?
If you have the Posix ACLs enabled (this is shown if you type "ntfs-3g --help"), you can get the same behavior as UPG by setting a second group inheritance in the parent directory (do not use the inherit option) :


Probably not, the Windows dynamic inheritance will be stopped at directories not acknowledging Windows-type inheritance. If you want that, all directories must be created "the Windows way".

Then something else is wrong or buggy (I assume the UserMapping file is present and unchanged). In the ACL you sent, the file appears as owned by root or by an unmapped user. Is this related to using the set-group-id flags ? Do you get warnings in your syslog file ?

Regards

Jean-Pierre

Hi,

As of now, I only have a single group "ourfamily". Also, in Windows, I added group "Everyone", with Full Access, to all files and directories,


I am not a developer, but I can do ./configure && make && checkinstall, or 'cmake .' && make as necessary.


Looks like I don't have them enabled.
$ ntfs-3g --help
ntfs-3g 2012.1.15AR.1 external FUSE 28 - Third Generation NTFS Driver
Configuration type 7, XATTRS are on, POSIX ACLS are on
Copyright (C) 2005-2007 Yura Pakhuchiy
Copyright (C) 2006-2009 Szabolcs Szakacsits
Copyright (C) 2007-2011 Jean-Pierre Andre
Copyright (C) 2009 Erik Larsson
Usage: ntfs-3g [-o option[,...]] <device|image_file> <mount_point>
Options: ro (read-only mount), remove_hiberfile, uid=, gid=,
umask=, fmask=, dmask=, streams_interface=.
Please see the details in the manual (type: man ntfs-3g).

Also, what linux command would I use to "set the second group inheritance in the parent directory"?



But if from the very top, I do "Replace.. on all child objects..", wouldn't every directory created under that tree also have windows inheritance by default, unless I explicitly turn it off?


The UserMapping file is present and unchanged. What could be wrong? One wild guess: as shown above ntfs-3g --help did not show the permissions option?

Hi,


You will not need much more.


Yes, you have : see "POSIX ACLS are on"

It is setfacl, I gave the full command in my previous post. This is not compatible with the inherit option. Also you must not use the option permissions (no specific option needed).

Probably not, it could damage the permissions defined by Linux.

The only way I can get this is when either the owner or the group is unmapped. Did you map the *group* myname with either an explicit SID different from the ones being used, or by appending a default mapping (the one ending with 10000) to catch unmapped users and groups ?

Regards

Jean-Pierre