ntfs user mappings?

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

ntfs user mappings?

Samba - General mailing list
I have linux machines joined to my AD domain using winbind.
I have windows pro machines joined to AD normally
I would like it so that when I user writes to an ntfs removable disk
That when I mount it on my linux machines it follows the permissions.
Is that possible?
I use ntfs-3g to mount the partition. I see there is a command
ntf3-3g.usermap and wonder if that might work.
Is there a command like it to get the usermap from AD?
I'm curious if when I write to the disk from linux machines if it
shows proper ownership on my windows machines.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ntfs user mappings?

Samba - General mailing list
oooh, I think I could write a script to do what ntf3-3g.usermap using
ldap. :-) If something doesn't already exist.
I think it gives the format in the ntfs-3g man page.

On Fri, Nov 3, 2017 at 1:19 PM, Jeff Sadowski <[hidden email]> wrote:

> I have linux machines joined to my AD domain using winbind.
> I have windows pro machines joined to AD normally
> I would like it so that when I user writes to an ntfs removable disk
> That when I mount it on my linux machines it follows the permissions.
> Is that possible?
> I use ntfs-3g to mount the partition. I see there is a command
> ntf3-3g.usermap and wonder if that might work.
> Is there a command like it to get the usermap from AD?
> I'm curious if when I write to the disk from linux machines if it
> shows proper ownership on my windows machines.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ntfs user mappings?

Samba - General mailing list
just get objectsid and use this

https://blogs.msdn.microsoft.com/oldnewthing/20040315-00/?p=40253

On Fri, Nov 3, 2017 at 1:32 PM, Jeff Sadowski <[hidden email]> wrote:

> oooh, I think I could write a script to do what ntf3-3g.usermap using
> ldap. :-) If something doesn't already exist.
> I think it gives the format in the ntfs-3g man page.
>
> On Fri, Nov 3, 2017 at 1:19 PM, Jeff Sadowski <[hidden email]> wrote:
>> I have linux machines joined to my AD domain using winbind.
>> I have windows pro machines joined to AD normally
>> I would like it so that when I user writes to an ntfs removable disk
>> That when I mount it on my linux machines it follows the permissions.
>> Is that possible?
>> I use ntfs-3g to mount the partition. I see there is a command
>> ntf3-3g.usermap and wonder if that might work.
>> Is there a command like it to get the usermap from AD?
>> I'm curious if when I write to the disk from linux machines if it
>> shows proper ownership on my windows machines.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ntfs user mappings?

Samba - General mailing list
On Fri, 3 Nov 2017 13:53:22 -0600
Jeff Sadowski via samba <[hidden email]> wrote:

> just get objectsid and use this
>
> https://blogs.msdn.microsoft.com/oldnewthing/20040315-00/?p=40253

Why ???

From reading the manpage, you need a usermap like this:

    john::S-1-5-21-3141592653-589793238-462643383-1008
    mary::S-1-5-21-3141592653-589793238-462643383-1009
    :smith:S-1-5-21-3141592653-589793238-462643383-513
    ::S-1-5-21-3141592653-589793238-462643383-10000

Note the third one is obviously wrong, the RID is '513', so 'smith'
should be 'Domain Users'

So all you need is the user or groups name and a simple script to
extract the objectSid.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ntfs user mappings?

Samba - General mailing list
On Fri, Nov 3, 2017 at 2:43 PM, Rowland Penny <[hidden email]> wrote:
> On Fri, 3 Nov 2017 13:53:22 -0600
> Jeff Sadowski via samba <[hidden email]> wrote:
>
>> just get objectsid and use this
>>
>> https://blogs.msdn.microsoft.com/oldnewthing/20040315-00/?p=40253
>
> Why ???
>

So that when someone on a linux machine writes to disk and they open
it up on a windows machine it will show it was written by the same
person. (or vise versa)

Anyways it is a bit more complicated as I know objectSid it is in
base64 not just hex so I'll have to do a little more work than I
though. It is however a fun exercise.

> From reading the manpage, you need a usermap like this:
>
>     john::S-1-5-21-3141592653-589793238-462643383-1008
>     mary::S-1-5-21-3141592653-589793238-462643383-1009
>     :smith:S-1-5-21-3141592653-589793238-462643383-513
>     ::S-1-5-21-3141592653-589793238-462643383-10000
>
> Note the third one is obviously wrong, the RID is '513', so 'smith'
> should be 'Domain Users'

I don't know about you but I use RFC2307
it doesn't matter what the SID is for it to map to my linux machines.

>
> So all you need is the user or groups name and a simple script to
> extract the objectSid.
>
> Rowland
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ntfs user mappings?

Samba - General mailing list
On Fri, 3 Nov 2017 14:52:45 -0600
Jeff Sadowski <[hidden email]> wrote:

> On Fri, Nov 3, 2017 at 2:43 PM, Rowland Penny <[hidden email]>
> wrote:
> > On Fri, 3 Nov 2017 13:53:22 -0600
> > Jeff Sadowski via samba <[hidden email]> wrote:
> >
> >> just get objectsid and use this
> >>
> >> https://blogs.msdn.microsoft.com/oldnewthing/20040315-00/?p=40253
> >
> > Why ???
> >
>
> So that when someone on a linux machine writes to disk and they open
> it up on a windows machine it will show it was written by the same
> person. (or vise versa)
>
> Anyways it is a bit more complicated as I know objectSid it is in
> base64 not just hex so I'll have to do a little more work than I
> though. It is however a fun exercise.

Use ldb-tools ;-)

You get:

dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
..............
objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
sAMAccountName: rowland
uidNumber: 10000

>
> > From reading the manpage, you need a usermap like this:
> >
> >     john::S-1-5-21-3141592653-589793238-462643383-1008
> >     mary::S-1-5-21-3141592653-589793238-462643383-1009
> >     :smith:S-1-5-21-3141592653-589793238-462643383-513
> >     ::S-1-5-21-3141592653-589793238-462643383-10000
> >
> > Note the third one is obviously wrong, the RID is '513', so 'smith'
> > should be 'Domain Users'
>
> I don't know about you but I use RFC2307
> it doesn't matter what the SID is for it to map to my linux machines.

Well yes, if you use the winbind 'ad' backend it doesn't, but if you
use the 'rid' backend it does. However, user rowland will have the SID
'S-1-5-21-1768301897-3342589593-1064908849-1107' on windows, but will
get the uidNumber '10000' on Linux. So from my reading of the ntfs-3g
manpage, the usermap would need a line like this:

  rowland::S-1-5-21-1768301897-3342589593-1064908849-1107

and from this, I understand that both windows and Linux would know who
'rowland' is, I could be wrong though, mainly because I haven't tried
it.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ntfs user mappings?

Samba - General mailing list
That looks easier

I was working on ldap to convert but I'll try ldb-tools

I was off on a bash mission here is what I had so far it isn't correct
so I'll keep working on it

#!/bin/bash
if [ "$(echo $1|wc -c)" = "41" ];then
hex=$(echo $1|base64 -d| od -x -w28 --endian=big|head -n1|sed
's/^0000000 //'|sed 's/ //g')
echo ${hex}
hex_chunk=$(echo ${hex}|cut -c1-2);
echo ${hex_chunk}
rev=$(echo "ibase=16; ${hex_chunk}" | bc)
hex_chunk=$(echo ${hex}|cut -c3-4)
echo ${hex_chunk}
dashes=$(echo "ibase=16; ${hex_chunk}" | bc)
hex_chunk=$(echo ${hex}|cut -c5-16)
echo ${hex_chunk}
notsure=$(echo "ibase=16; ${hex_chunk}" | bc)
hex_chunk=$(echo ${hex}|cut -c17-24)
echo ${hex_chunk}
issuer1=$(echo "ibase=16; ${hex_chunk}" | bc)
hex_chunk=$(echo ${hex}|cut -c25-32)
echo ${hex_chunk}
issuer2=$(echo "ibase=16; ${hex_chunk}" | bc)
hex_chunk=$(echo ${hex}|cut -c33-40)
echo ${hex_chunk}
issuer3=$(echo "ibase=16; ${hex_chunk}" | bc)
hex_chunk=$(echo ${hex}|cut -c41-48)
echo ${hex_chunk}
issuer4=$(echo "ibase=16; ${hex_chunk}" | bc)
hex_chunk=$(echo ${hex}|cut -c49-57)
uid=$(echo "ibase=16; ${hex_chunk}" | bc)
left=$(echo ${hex}|cut -c58-)
echo "[${left}]"
echo "S-${rev}-${dashes}-${notsure}-${issuer1}-${issuer2}-${issuer3}-${issuer4}-${uid}"

else
echo $1
echo "not 41 characters like I was expecting"
fi


On Fri, Nov 3, 2017 at 3:14 PM, Rowland Penny <[hidden email]> wrote:

> On Fri, 3 Nov 2017 14:52:45 -0600
> Jeff Sadowski <[hidden email]> wrote:
>
>> On Fri, Nov 3, 2017 at 2:43 PM, Rowland Penny <[hidden email]>
>> wrote:
>> > On Fri, 3 Nov 2017 13:53:22 -0600
>> > Jeff Sadowski via samba <[hidden email]> wrote:
>> >
>> >> just get objectsid and use this
>> >>
>> >> https://blogs.msdn.microsoft.com/oldnewthing/20040315-00/?p=40253
>> >
>> > Why ???
>> >
>>
>> So that when someone on a linux machine writes to disk and they open
>> it up on a windows machine it will show it was written by the same
>> person. (or vise versa)
>>
>> Anyways it is a bit more complicated as I know objectSid it is in
>> base64 not just hex so I'll have to do a little more work than I
>> though. It is however a fun exercise.
>
> Use ldb-tools ;-)
>
> You get:
>
> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> ..............
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
> sAMAccountName: rowland
> uidNumber: 10000
>
>>
>> > From reading the manpage, you need a usermap like this:
>> >
>> >     john::S-1-5-21-3141592653-589793238-462643383-1008
>> >     mary::S-1-5-21-3141592653-589793238-462643383-1009
>> >     :smith:S-1-5-21-3141592653-589793238-462643383-513
>> >     ::S-1-5-21-3141592653-589793238-462643383-10000
>> >
>> > Note the third one is obviously wrong, the RID is '513', so 'smith'
>> > should be 'Domain Users'
>>
>> I don't know about you but I use RFC2307
>> it doesn't matter what the SID is for it to map to my linux machines.
>
> Well yes, if you use the winbind 'ad' backend it doesn't, but if you
> use the 'rid' backend it does. However, user rowland will have the SID
> 'S-1-5-21-1768301897-3342589593-1064908849-1107' on windows, but will
> get the uidNumber '10000' on Linux. So from my reading of the ntfs-3g
> manpage, the usermap would need a line like this:
>
>   rowland::S-1-5-21-1768301897-3342589593-1064908849-1107
>
> and from this, I understand that both windows and Linux would know who
> 'rowland' is, I could be wrong though, mainly because I haven't tried
> it.
>
> Rowland
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ntfs user mappings?

Samba - General mailing list
On Fri, 3 Nov 2017 16:25:57 -0600
Jeff Sadowski <[hidden email]> wrote:

> That looks easier
>
> I was working on ldap to convert but I'll try ldb-tools
>
> I was off on a bash mission here is what I had so far it isn't correct
> so I'll keep working on it
>
> #!/bin/bash
> if [ "$(echo $1|wc -c)" = "41" ];then
> hex=$(echo $1|base64 -d| od -x -w28 --endian=big|head -n1|sed
> 's/^0000000 //'|sed 's/ //g')
> echo ${hex}
> hex_chunk=$(echo ${hex}|cut -c1-2);
> echo ${hex_chunk}
> rev=$(echo "ibase=16; ${hex_chunk}" | bc)
> hex_chunk=$(echo ${hex}|cut -c3-4)
> echo ${hex_chunk}
> dashes=$(echo "ibase=16; ${hex_chunk}" | bc)
> hex_chunk=$(echo ${hex}|cut -c5-16)
> echo ${hex_chunk}
> notsure=$(echo "ibase=16; ${hex_chunk}" | bc)
> hex_chunk=$(echo ${hex}|cut -c17-24)
> echo ${hex_chunk}
> issuer1=$(echo "ibase=16; ${hex_chunk}" | bc)
> hex_chunk=$(echo ${hex}|cut -c25-32)
> echo ${hex_chunk}
> issuer2=$(echo "ibase=16; ${hex_chunk}" | bc)
> hex_chunk=$(echo ${hex}|cut -c33-40)
> echo ${hex_chunk}
> issuer3=$(echo "ibase=16; ${hex_chunk}" | bc)
> hex_chunk=$(echo ${hex}|cut -c41-48)
> echo ${hex_chunk}
> issuer4=$(echo "ibase=16; ${hex_chunk}" | bc)
> hex_chunk=$(echo ${hex}|cut -c49-57)
> uid=$(echo "ibase=16; ${hex_chunk}" | bc)
> left=$(echo ${hex}|cut -c58-)
> echo "[${left}]"
> echo
> "S-${rev}-${dashes}-${notsure}-${issuer1}-${issuer2}-${issuer3}-${issuer4}-${uid}"
>
> else
> echo $1
> echo "not 41 characters like I was expecting"
> fi
>

Hmm, you could do this instead:

#!/bin/bash

## Get users object into $1 with ldbsearch

SID=$(echo $1 | grep 'objectSid:' | awk '{print $NF}')
echo "$SID"

Which would result in something like this:

S-1-5-21-1768301897-3342589593-1064908849-1107

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ntfs user mappings?

Samba - General mailing list
. DOMAIN_ADMIN_PASSWD.sh
echo ${PASSWD} | kinit ${ADMIN}@${DOMAIN}
echo -n > /etc/ntfs-3g.usermap
for DOMAIN_USER in $(wbinfo -u);do
 RPCLOOKUPID=$(rpcclient -P -c "lookupnames ${DOMAIN_USER}" ${DOMAIN})
 if [ "${RPCLOOKUPID:0:7}" != "ERROR: " ] && [ "${RPCLOOKUPID:0:7}" !=
"Failed " ];then
  SID=$(echo ${RPCLOOKUPID}|awk '{print $2}')
  echo ${DOMAIN_USER}::${SID} >> /etc/ntfs-3g.usermap
 fi
done
for DOMAIN_GROUP in $(wbinfo -g);do
 RPCLOOKUPID=$(rpcclient -P -c "lookupnames ${DOMAIN_GROUP}" ${DOMAIN})
 if [ "${RPCLOOKUPID:0:7}" != "ERROR: " ] && [ "${RPCLOOKUPID:0:7}" !=
"Failed " ];then
  SID=$(echo ${RPCLOOKUPID}|awk '{print $2}')
  echo :${DOMAIN_GROUP}:${SID} >> /etc/ntfs-3g.usermap
 fi
done

On Sat, Nov 4, 2017 at 3:21 AM, Rowland Penny via samba
<[hidden email]> wrote:

> On Fri, 3 Nov 2017 16:25:57 -0600
> Jeff Sadowski <[hidden email]> wrote:
>
>> That looks easier
>>
>> I was working on ldap to convert but I'll try ldb-tools
>>
>> I was off on a bash mission here is what I had so far it isn't correct
>> so I'll keep working on it
>>
>> #!/bin/bash
>> if [ "$(echo $1|wc -c)" = "41" ];then
>> hex=$(echo $1|base64 -d| od -x -w28 --endian=big|head -n1|sed
>> 's/^0000000 //'|sed 's/ //g')
>> echo ${hex}
>> hex_chunk=$(echo ${hex}|cut -c1-2);
>> echo ${hex_chunk}
>> rev=$(echo "ibase=16; ${hex_chunk}" | bc)
>> hex_chunk=$(echo ${hex}|cut -c3-4)
>> echo ${hex_chunk}
>> dashes=$(echo "ibase=16; ${hex_chunk}" | bc)
>> hex_chunk=$(echo ${hex}|cut -c5-16)
>> echo ${hex_chunk}
>> notsure=$(echo "ibase=16; ${hex_chunk}" | bc)
>> hex_chunk=$(echo ${hex}|cut -c17-24)
>> echo ${hex_chunk}
>> issuer1=$(echo "ibase=16; ${hex_chunk}" | bc)
>> hex_chunk=$(echo ${hex}|cut -c25-32)
>> echo ${hex_chunk}
>> issuer2=$(echo "ibase=16; ${hex_chunk}" | bc)
>> hex_chunk=$(echo ${hex}|cut -c33-40)
>> echo ${hex_chunk}
>> issuer3=$(echo "ibase=16; ${hex_chunk}" | bc)
>> hex_chunk=$(echo ${hex}|cut -c41-48)
>> echo ${hex_chunk}
>> issuer4=$(echo "ibase=16; ${hex_chunk}" | bc)
>> hex_chunk=$(echo ${hex}|cut -c49-57)
>> uid=$(echo "ibase=16; ${hex_chunk}" | bc)
>> left=$(echo ${hex}|cut -c58-)
>> echo "[${left}]"
>> echo
>> "S-${rev}-${dashes}-${notsure}-${issuer1}-${issuer2}-${issuer3}-${issuer4}-${uid}"
>>
>> else
>> echo $1
>> echo "not 41 characters like I was expecting"
>> fi
>>
>
> Hmm, you could do this instead:
>
> #!/bin/bash
>
> ## Get users object into $1 with ldbsearch
>
> SID=$(echo $1 | grep 'objectSid:' | awk '{print $NF}')
> echo "$SID"
>
> Which would result in something like this:
>
> S-1-5-21-1768301897-3342589593-1064908849-1107
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ntfs user mappings?

Samba - General mailing list
I decided to continue trying the ldap route as well

littlehex2int()
{
 hex=$1
 hex_chunk=$(echo ${hex}|cut -c$2-$3)
 little=$(echo ${hex_chunk}|awk '{print
substr($0,7,2)substr($0,5,2)substr($0,3,2)substr($0,1,2)}')
 echo "ibase=16; ${little}" | bc
}

base64_to_sid()
{
OBJECTSID="$1"
hex=$(echo ${OBJECTSID}|base64 -d|od -A n -x -w28 --endian=big|sed 's/
//g'|awk '{print toupper($1)}')
hex_chunk=$(echo ${hex}|cut -c1-2);
rev=$(echo "ibase=16; ${hex_chunk}" | bc)
hex_chunk=$(echo ${hex}|cut -c3-4)
dashes=$(echo "ibase=16; ${hex_chunk}" | bc)
hex_chunk=$(echo ${hex}|cut -c5-16)
notsure=$(echo "ibase=16; ${hex_chunk}" | bc)
nonuniq=$(littlehex2int ${hex} 17 24)
issuer1=$(littlehex2int ${hex} 25 32)
issuer2=$(littlehex2int ${hex} 33 40)
issuer3=$(littlehex2int ${hex} 41 48)
uid=$(littlehex2int ${hex} 49 57)
echo "S-${rev}-${dashes}-${nonuniq}-${issuer1}-${issuer2}-${issuer3}-${uid}"
}

On Sat, Nov 4, 2017 at 4:42 PM, Jeff Sadowski <[hidden email]> wrote:

> . DOMAIN_ADMIN_PASSWD.sh
> echo ${PASSWD} | kinit ${ADMIN}@${DOMAIN}
> echo -n > /etc/ntfs-3g.usermap
> for DOMAIN_USER in $(wbinfo -u);do
>  RPCLOOKUPID=$(rpcclient -P -c "lookupnames ${DOMAIN_USER}" ${DOMAIN})
>  if [ "${RPCLOOKUPID:0:7}" != "ERROR: " ] && [ "${RPCLOOKUPID:0:7}" !=
> "Failed " ];then
>   SID=$(echo ${RPCLOOKUPID}|awk '{print $2}')
>   echo ${DOMAIN_USER}::${SID} >> /etc/ntfs-3g.usermap
>  fi
> done
> for DOMAIN_GROUP in $(wbinfo -g);do
>  RPCLOOKUPID=$(rpcclient -P -c "lookupnames ${DOMAIN_GROUP}" ${DOMAIN})
>  if [ "${RPCLOOKUPID:0:7}" != "ERROR: " ] && [ "${RPCLOOKUPID:0:7}" !=
> "Failed " ];then
>   SID=$(echo ${RPCLOOKUPID}|awk '{print $2}')
>   echo :${DOMAIN_GROUP}:${SID} >> /etc/ntfs-3g.usermap
>  fi
> done
>
> On Sat, Nov 4, 2017 at 3:21 AM, Rowland Penny via samba
> <[hidden email]> wrote:
>> On Fri, 3 Nov 2017 16:25:57 -0600
>> Jeff Sadowski <[hidden email]> wrote:
>>
>>> That looks easier
>>>
>>> I was working on ldap to convert but I'll try ldb-tools
>>>
>>> I was off on a bash mission here is what I had so far it isn't correct
>>> so I'll keep working on it
>>>
>>> #!/bin/bash
>>> if [ "$(echo $1|wc -c)" = "41" ];then
>>> hex=$(echo $1|base64 -d| od -x -w28 --endian=big|head -n1|sed
>>> 's/^0000000 //'|sed 's/ //g')
>>> echo ${hex}
>>> hex_chunk=$(echo ${hex}|cut -c1-2);
>>> echo ${hex_chunk}
>>> rev=$(echo "ibase=16; ${hex_chunk}" | bc)
>>> hex_chunk=$(echo ${hex}|cut -c3-4)
>>> echo ${hex_chunk}
>>> dashes=$(echo "ibase=16; ${hex_chunk}" | bc)
>>> hex_chunk=$(echo ${hex}|cut -c5-16)
>>> echo ${hex_chunk}
>>> notsure=$(echo "ibase=16; ${hex_chunk}" | bc)
>>> hex_chunk=$(echo ${hex}|cut -c17-24)
>>> echo ${hex_chunk}
>>> issuer1=$(echo "ibase=16; ${hex_chunk}" | bc)
>>> hex_chunk=$(echo ${hex}|cut -c25-32)
>>> echo ${hex_chunk}
>>> issuer2=$(echo "ibase=16; ${hex_chunk}" | bc)
>>> hex_chunk=$(echo ${hex}|cut -c33-40)
>>> echo ${hex_chunk}
>>> issuer3=$(echo "ibase=16; ${hex_chunk}" | bc)
>>> hex_chunk=$(echo ${hex}|cut -c41-48)
>>> echo ${hex_chunk}
>>> issuer4=$(echo "ibase=16; ${hex_chunk}" | bc)
>>> hex_chunk=$(echo ${hex}|cut -c49-57)
>>> uid=$(echo "ibase=16; ${hex_chunk}" | bc)
>>> left=$(echo ${hex}|cut -c58-)
>>> echo "[${left}]"
>>> echo
>>> "S-${rev}-${dashes}-${notsure}-${issuer1}-${issuer2}-${issuer3}-${issuer4}-${uid}"
>>>
>>> else
>>> echo $1
>>> echo "not 41 characters like I was expecting"
>>> fi
>>>
>>
>> Hmm, you could do this instead:
>>
>> #!/bin/bash
>>
>> ## Get users object into $1 with ldbsearch
>>
>> SID=$(echo $1 | grep 'objectSid:' | awk '{print $NF}')
>> echo "$SID"
>>
>> Which would result in something like this:
>>
>> S-1-5-21-1768301897-3342589593-1064908849-1107
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ntfs user mappings?

Samba - General mailing list
On Sat, 4 Nov 2017 18:42:36 -0600
Jeff Sadowski <[hidden email]> wrote:

> I decided to continue trying the ldap route as well
>
> littlehex2int()
> {
>  hex=$1
>  hex_chunk=$(echo ${hex}|cut -c$2-$3)
>  little=$(echo ${hex_chunk}|awk '{print
> substr($0,7,2)substr($0,5,2)substr($0,3,2)substr($0,1,2)}')
>  echo "ibase=16; ${little}" | bc
> }
>
> base64_to_sid()
> {
> OBJECTSID="$1"
> hex=$(echo ${OBJECTSID}|base64 -d|od -A n -x -w28 --endian=big|sed 's/
> //g'|awk '{print toupper($1)}')
> hex_chunk=$(echo ${hex}|cut -c1-2);
> rev=$(echo "ibase=16; ${hex_chunk}" | bc)
> hex_chunk=$(echo ${hex}|cut -c3-4)
> dashes=$(echo "ibase=16; ${hex_chunk}" | bc)
> hex_chunk=$(echo ${hex}|cut -c5-16)
> notsure=$(echo "ibase=16; ${hex_chunk}" | bc)
> nonuniq=$(littlehex2int ${hex} 17 24)
> issuer1=$(littlehex2int ${hex} 25 32)
> issuer2=$(littlehex2int ${hex} 33 40)
> issuer3=$(littlehex2int ${hex} 41 48)
> uid=$(littlehex2int ${hex} 49 57)
> echo
> "S-${rev}-${dashes}-${nonuniq}-${issuer1}-${issuer2}-${issuer3}-${uid}" }
>
> On Sat, Nov 4, 2017 at 4:42 PM, Jeff Sadowski
> <[hidden email]> wrote:
> > . DOMAIN_ADMIN_PASSWD.sh
> > echo ${PASSWD} | kinit ${ADMIN}@${DOMAIN}
> > echo -n > /etc/ntfs-3g.usermap
> > for DOMAIN_USER in $(wbinfo -u);do
> >  RPCLOOKUPID=$(rpcclient -P -c "lookupnames ${DOMAIN_USER}"
> > ${DOMAIN}) if [ "${RPCLOOKUPID:0:7}" != "ERROR: " ] &&
> > [ "${RPCLOOKUPID:0:7}" != "Failed " ];then
> >   SID=$(echo ${RPCLOOKUPID}|awk '{print $2}')
> >   echo ${DOMAIN_USER}::${SID} >> /etc/ntfs-3g.usermap
> >  fi
> > done
> > for DOMAIN_GROUP in $(wbinfo -g);do
> >  RPCLOOKUPID=$(rpcclient -P -c "lookupnames ${DOMAIN_GROUP}"
> > ${DOMAIN}) if [ "${RPCLOOKUPID:0:7}" != "ERROR: " ] &&
> > [ "${RPCLOOKUPID:0:7}" != "Failed " ];then
> >   SID=$(echo ${RPCLOOKUPID}|awk '{print $2}')
> >   echo :${DOMAIN_GROUP}:${SID} >> /etc/ntfs-3g.usermap
> >  fi
> > done
> >
> > On Sat, Nov 4, 2017 at 3:21 AM, Rowland Penny via samba
> > <[hidden email]> wrote:
> >> On Fri, 3 Nov 2017 16:25:57 -0600
> >> Jeff Sadowski <[hidden email]> wrote:
> >>
> >>> That looks easier
> >>>
> >>> I was working on ldap to convert but I'll try ldb-tools
> >>>
> >>> I was off on a bash mission here is what I had so far it isn't
> >>> correct so I'll keep working on it
> >>>
> >>> #!/bin/bash
> >>> if [ "$(echo $1|wc -c)" = "41" ];then
> >>> hex=$(echo $1|base64 -d| od -x -w28 --endian=big|head -n1|sed
> >>> 's/^0000000 //'|sed 's/ //g')
> >>> echo ${hex}
> >>> hex_chunk=$(echo ${hex}|cut -c1-2);
> >>> echo ${hex_chunk}
> >>> rev=$(echo "ibase=16; ${hex_chunk}" | bc)
> >>> hex_chunk=$(echo ${hex}|cut -c3-4)
> >>> echo ${hex_chunk}
> >>> dashes=$(echo "ibase=16; ${hex_chunk}" | bc)
> >>> hex_chunk=$(echo ${hex}|cut -c5-16)
> >>> echo ${hex_chunk}
> >>> notsure=$(echo "ibase=16; ${hex_chunk}" | bc)
> >>> hex_chunk=$(echo ${hex}|cut -c17-24)
> >>> echo ${hex_chunk}
> >>> issuer1=$(echo "ibase=16; ${hex_chunk}" | bc)
> >>> hex_chunk=$(echo ${hex}|cut -c25-32)
> >>> echo ${hex_chunk}
> >>> issuer2=$(echo "ibase=16; ${hex_chunk}" | bc)
> >>> hex_chunk=$(echo ${hex}|cut -c33-40)
> >>> echo ${hex_chunk}
> >>> issuer3=$(echo "ibase=16; ${hex_chunk}" | bc)
> >>> hex_chunk=$(echo ${hex}|cut -c41-48)
> >>> echo ${hex_chunk}
> >>> issuer4=$(echo "ibase=16; ${hex_chunk}" | bc)
> >>> hex_chunk=$(echo ${hex}|cut -c49-57)
> >>> uid=$(echo "ibase=16; ${hex_chunk}" | bc)
> >>> left=$(echo ${hex}|cut -c58-)
> >>> echo "[${left}]"
> >>> echo
> >>> "S-${rev}-${dashes}-${notsure}-${issuer1}-${issuer2}-${issuer3}-${issuer4}-${uid}"
> >>>
> >>> else
> >>> echo $1
> >>> echo "not 41 characters like I was expecting"
> >>> fi
> >>>
> >>
> >> Hmm, you could do this instead:
> >>
> >> #!/bin/bash
> >>
> >> ## Get users object into $1 with ldbsearch
> >>
> >> SID=$(echo $1 | grep 'objectSid:' | awk '{print $NF}')
> >> echo "$SID"
> >>
> >> Which would result in something like this:
> >>
> >> S-1-5-21-1768301897-3342589593-1064908849-1107
> >>
> >> Rowland
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba

How about my version (attached) ?

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ntfs user mappings?

Samba - General mailing list
Not bad but I wanted an ldap version because I was having issues
running ldbsearch as a normal user.

I created the following functions to get it in and out of base64 and hex

swap_endian()
{
local input=$1
local output=""
while [ "${input}" != "" ];do
output="${input:0:2}${output}"
input=${input:2}
done
echo $output
}

base64_to_hex()
{
echo $(echo $1|base64 -d|hexdump -ve '/1 "%02x"')
}

hex2sid()
{
local hex=$1
local rev=$((16#${hex:0:2}))
local dsh=$((16#${hex:2:2}))
local ath=$((16#${hex:4:12}))
local sec=$((16#$(swap_endian ${hex:16:8})))
local is1=$((16#$(swap_endian ${hex:24:8})))
local is2=$((16#$(swap_endian ${hex:32:8})))
local is3=$((16#$(swap_endian ${hex:40:8})))
local uid=$((16#$(swap_endian ${hex:48:8})))
echo "S-${rev}-${ath}-${sec}-${is1}-${is2}-${is3}-${uid}"
}

chars()
{
local output="000000000000$2"
local len=${#output}
echo ${output:${len}-$1}
}

sid2hex()
{
 local field=1
 local input=$(echo $1|cut -d- -f2-)
 local test=""
 local output=""
 local integer
 local hex
 while [ "${input}" != "${test}" ];do
  integer=$(echo ${input}|cut -d- -f1)
  hex=$(printf '%x' ${integer})
  if [ "${field}" = "1" ];then
   output=$(chars 2 ${hex})
  elif [ "${field}" = "2" ];then
   output="${output}$(chars 2 ${hex})"
   output="${output}$(chars 12 ${hex})"
  else
   output="${output}$(swap_endian $(chars 8 ${hex}))"
  fi
  field=$((${field}+1))
  test=${input}
  input=$(echo ${input}|cut -d- -f2-)
 done
 echo ${output}
}

hex2base64()
{
 local input=$1
 local output=""
 while [ "${input}" != "" ];do
  output="${output}\x${input:0:2}"
  input=${input:2}
 done
 echo -ne "${output}"|base64
}

base64="AQUAAAAAAAUVAAAAoGXPfnhLm1/nfIdwCRwBAA=="
echo ${base64}
ihex=$(base64_to_hex ${base64})
hex2sid ${ihex}
truesid="S-1-5-21-2127521184-1604012920-1887927527-72713"
echo ${truesid}
ohex=$(sid2hex ${truesid})
echo ${ihex}
echo ${ohex}
base64_to_hex ${base64}
hex2base64 ${ohex}
base64=$(hex2base64 ${ohex})

On Sun, Nov 5, 2017 at 12:31 PM, Rowland Penny <[hidden email]> wrote:

> On Sat, 4 Nov 2017 18:42:36 -0600
> Jeff Sadowski <[hidden email]> wrote:
>
>> I decided to continue trying the ldap route as well
>>
>> littlehex2int()
>> {
>>  hex=$1
>>  hex_chunk=$(echo ${hex}|cut -c$2-$3)
>>  little=$(echo ${hex_chunk}|awk '{print
>> substr($0,7,2)substr($0,5,2)substr($0,3,2)substr($0,1,2)}')
>>  echo "ibase=16; ${little}" | bc
>> }
>>
>> base64_to_sid()
>> {
>> OBJECTSID="$1"
>> hex=$(echo ${OBJECTSID}|base64 -d|od -A n -x -w28 --endian=big|sed 's/
>> //g'|awk '{print toupper($1)}')
>> hex_chunk=$(echo ${hex}|cut -c1-2);
>> rev=$(echo "ibase=16; ${hex_chunk}" | bc)
>> hex_chunk=$(echo ${hex}|cut -c3-4)
>> dashes=$(echo "ibase=16; ${hex_chunk}" | bc)
>> hex_chunk=$(echo ${hex}|cut -c5-16)
>> notsure=$(echo "ibase=16; ${hex_chunk}" | bc)
>> nonuniq=$(littlehex2int ${hex} 17 24)
>> issuer1=$(littlehex2int ${hex} 25 32)
>> issuer2=$(littlehex2int ${hex} 33 40)
>> issuer3=$(littlehex2int ${hex} 41 48)
>> uid=$(littlehex2int ${hex} 49 57)
>> echo
>> "S-${rev}-${dashes}-${nonuniq}-${issuer1}-${issuer2}-${issuer3}-${uid}" }
>>
>> On Sat, Nov 4, 2017 at 4:42 PM, Jeff Sadowski
>> <[hidden email]> wrote:
>> > . DOMAIN_ADMIN_PASSWD.sh
>> > echo ${PASSWD} | kinit ${ADMIN}@${DOMAIN}
>> > echo -n > /etc/ntfs-3g.usermap
>> > for DOMAIN_USER in $(wbinfo -u);do
>> >  RPCLOOKUPID=$(rpcclient -P -c "lookupnames ${DOMAIN_USER}"
>> > ${DOMAIN}) if [ "${RPCLOOKUPID:0:7}" != "ERROR: " ] &&
>> > [ "${RPCLOOKUPID:0:7}" != "Failed " ];then
>> >   SID=$(echo ${RPCLOOKUPID}|awk '{print $2}')
>> >   echo ${DOMAIN_USER}::${SID} >> /etc/ntfs-3g.usermap
>> >  fi
>> > done
>> > for DOMAIN_GROUP in $(wbinfo -g);do
>> >  RPCLOOKUPID=$(rpcclient -P -c "lookupnames ${DOMAIN_GROUP}"
>> > ${DOMAIN}) if [ "${RPCLOOKUPID:0:7}" != "ERROR: " ] &&
>> > [ "${RPCLOOKUPID:0:7}" != "Failed " ];then
>> >   SID=$(echo ${RPCLOOKUPID}|awk '{print $2}')
>> >   echo :${DOMAIN_GROUP}:${SID} >> /etc/ntfs-3g.usermap
>> >  fi
>> > done
>> >
>> > On Sat, Nov 4, 2017 at 3:21 AM, Rowland Penny via samba
>> > <[hidden email]> wrote:
>> >> On Fri, 3 Nov 2017 16:25:57 -0600
>> >> Jeff Sadowski <[hidden email]> wrote:
>> >>
>> >>> That looks easier
>> >>>
>> >>> I was working on ldap to convert but I'll try ldb-tools
>> >>>
>> >>> I was off on a bash mission here is what I had so far it isn't
>> >>> correct so I'll keep working on it
>> >>>
>> >>> #!/bin/bash
>> >>> if [ "$(echo $1|wc -c)" = "41" ];then
>> >>> hex=$(echo $1|base64 -d| od -x -w28 --endian=big|head -n1|sed
>> >>> 's/^0000000 //'|sed 's/ //g')
>> >>> echo ${hex}
>> >>> hex_chunk=$(echo ${hex}|cut -c1-2);
>> >>> echo ${hex_chunk}
>> >>> rev=$(echo "ibase=16; ${hex_chunk}" | bc)
>> >>> hex_chunk=$(echo ${hex}|cut -c3-4)
>> >>> echo ${hex_chunk}
>> >>> dashes=$(echo "ibase=16; ${hex_chunk}" | bc)
>> >>> hex_chunk=$(echo ${hex}|cut -c5-16)
>> >>> echo ${hex_chunk}
>> >>> notsure=$(echo "ibase=16; ${hex_chunk}" | bc)
>> >>> hex_chunk=$(echo ${hex}|cut -c17-24)
>> >>> echo ${hex_chunk}
>> >>> issuer1=$(echo "ibase=16; ${hex_chunk}" | bc)
>> >>> hex_chunk=$(echo ${hex}|cut -c25-32)
>> >>> echo ${hex_chunk}
>> >>> issuer2=$(echo "ibase=16; ${hex_chunk}" | bc)
>> >>> hex_chunk=$(echo ${hex}|cut -c33-40)
>> >>> echo ${hex_chunk}
>> >>> issuer3=$(echo "ibase=16; ${hex_chunk}" | bc)
>> >>> hex_chunk=$(echo ${hex}|cut -c41-48)
>> >>> echo ${hex_chunk}
>> >>> issuer4=$(echo "ibase=16; ${hex_chunk}" | bc)
>> >>> hex_chunk=$(echo ${hex}|cut -c49-57)
>> >>> uid=$(echo "ibase=16; ${hex_chunk}" | bc)
>> >>> left=$(echo ${hex}|cut -c58-)
>> >>> echo "[${left}]"
>> >>> echo
>> >>> "S-${rev}-${dashes}-${notsure}-${issuer1}-${issuer2}-${issuer3}-${issuer4}-${uid}"
>> >>>
>> >>> else
>> >>> echo $1
>> >>> echo "not 41 characters like I was expecting"
>> >>> fi
>> >>>
>> >>
>> >> Hmm, you could do this instead:
>> >>
>> >> #!/bin/bash
>> >>
>> >> ## Get users object into $1 with ldbsearch
>> >>
>> >> SID=$(echo $1 | grep 'objectSid:' | awk '{print $NF}')
>> >> echo "$SID"
>> >>
>> >> Which would result in something like this:
>> >>
>> >> S-1-5-21-1768301897-3342589593-1064908849-1107
>> >>
>> >> Rowland
>> >>
>> >> --
>> >> To unsubscribe from this list go to the following URL and read the
>> >> instructions:  https://lists.samba.org/mailman/options/samba
>
> How about my version (attached) ?
>
> Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ntfs user mappings?

Samba - General mailing list
On Sun, 5 Nov 2017 16:14:33 -0700
Jeff Sadowski <[hidden email]> wrote:

> Not bad but I wanted an ldap version because I was having issues
> running ldbsearch as a normal user.
>

You are probably using the wrong syntax ;-)

you can use use a username and password with:

ldbsearch -H ldap://member1.samdom.example.com -U rowland%xxxxxxxxxx -b
DC=samdom,DC=example,DC=com -s sub
'(&(objectClass=user)(!(objectClass=computer))(sAMAccountName=*))'
sAMAccountName

Where 'xxxxxxxxxx' is the users password.

or with kerberos (provided the user has a valid ticket):

ldbsearch -H ldap://member1.samdom.example.com -k yes
--krb5-ccache=krb5cc_xxxxx -b DC=samdom,DC=example,DC=com -s sub
'(&(objectClass=user)(!(objectClass=computer))(sAMAccountName=*))'
sAMAccountName

Where 'krb5cc_xxxxx' is the users ticket in /tmp/

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ntfs user mappings?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Sun, 5 Nov 2017 16:14:33 -0700
Jeff Sadowski <[hidden email]> wrote:

> Not bad but I wanted an ldap version because I was having issues
> running ldbsearch as a normal user.
>

I had another thought, why am I reinventing the wheel, so came up with
this:

#!/bin/bash

echo "#######################################################"
echo "#                                                     #"
echo "#      Please Wait whilst Usermap is created.         #"
echo "#                                                     #"
echo "#######################################################"

## Remove any existing usermap
if [ -f  /tmp/ntfs-3g.usermap ]; then
    rm -f /tmp/ntfs-3g.usermap
fi

WBINFO=$(which wbinfo)
if [ -z "${WBINFO}" ]; then
    echo
    echo "Cannot find 'wbinfo', is it installed?"
    echo "Cannot continue...Exiting"
    exit 1
fi

## Get users
ADUSERS=$(${WBINFO} -u)

## Get groups
ADGROUPS=$(${WBINFO} -g)

while IFS= read -r line
do
  SID=$(${WBINFO} -n "$line" | awk '{print $1}')
  echo "$line::$SID" >> /tmp/ntfs-3g.usermap
done <<< "$ADUSERS"

while IFS= read -r line
do
  SID=$(${WBINFO} -n "$line" | awk '{print $1}')
  echo ":$line:$SID" >> /tmp/ntfs-3g.usermap
done <<< "$ADGROUPS"

if [ -f /tmp/ntfs-3g.usermap ]; then
    echo
    echo "Usermap created in /tmp/ntfs-3g.usermap"
    echo
fi

exit 0

Anybody can run this, the only problem was '/etc/', only 'root' can
write into this directory, so I used '/tmp/' instead.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: ntfs user mappings?

Samba - General mailing list
:-( ntfs-3g needs work.

My mapping must be working as I see some of the correct users and acl
rules look correct. But it looks like ntfs-3g is a bit incomplete at
least on my ubuntu 16.04 install.

On Mon, Nov 6, 2017 at 4:29 AM, Rowland Penny via samba
<[hidden email]> wrote:

> On Sun, 5 Nov 2017 16:14:33 -0700
> Jeff Sadowski <[hidden email]> wrote:
>
>> Not bad but I wanted an ldap version because I was having issues
>> running ldbsearch as a normal user.
>>
>
> I had another thought, why am I reinventing the wheel, so came up with
> this:
>
> #!/bin/bash
>
> echo "#######################################################"
> echo "#                                                     #"
> echo "#      Please Wait whilst Usermap is created.         #"
> echo "#                                                     #"
> echo "#######################################################"
>
> ## Remove any existing usermap
> if [ -f  /tmp/ntfs-3g.usermap ]; then
>     rm -f /tmp/ntfs-3g.usermap
> fi
>
> WBINFO=$(which wbinfo)
> if [ -z "${WBINFO}" ]; then
>     echo
>     echo "Cannot find 'wbinfo', is it installed?"
>     echo "Cannot continue...Exiting"
>     exit 1
> fi
>
> ## Get users
> ADUSERS=$(${WBINFO} -u)
>
> ## Get groups
> ADGROUPS=$(${WBINFO} -g)
>
> while IFS= read -r line
> do
>   SID=$(${WBINFO} -n "$line" | awk '{print $1}')
>   echo "$line::$SID" >> /tmp/ntfs-3g.usermap
> done <<< "$ADUSERS"
>
> while IFS= read -r line
> do
>   SID=$(${WBINFO} -n "$line" | awk '{print $1}')
>   echo ":$line:$SID" >> /tmp/ntfs-3g.usermap
> done <<< "$ADGROUPS"
>
> if [ -f /tmp/ntfs-3g.usermap ]; then
>     echo
>     echo "Usermap created in /tmp/ntfs-3g.usermap"
>     echo
> fi
>
> exit 0
>
> Anybody can run this, the only problem was '/etc/', only 'root' can
> write into this directory, so I used '/tmp/' instead.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba