Mounting an Ubuntu FS onto a Windows Host - Access Denied

[dacowan]

I'm attempting to mount my Ubuntu system on to my Windows 10 machine. I have installed WinFSP and SSHFS-Win I have my authorized_keys set up on my remote machine with my public/private key combo and my .ssh/config is set up (I realize that this option still doesn't work - judging from the open issues list) I'm attempting to mount the file system using the form:

net use v: \sshfs\domain+localuser=remoteuser@remote.host.com

I am prompted for my user/password for 'sshfs' - which I enter interactively.

The share is mounted correctly and I can read/browse -- but I cannot write to it. "Access is denied"

Any suggestions? (I really want this to work - this would cut hours per week off my work pipeline)

[billziss-gh]

Does remoteuser have write permissions on the served directories/files?

[dacowan]

Yes. At least, he should have - mounting without a remote path appears to mount at the root of the remoteusers home folder.

[billziss-gh]

@dacowan can you run the command

> "C:\Program Files (x86)\WinFsp\bin\fsptool-x64.exe" perm FILE

where FILE is one of the files/directories that you cannot write?

[dacowan]

I'm not clear on the format of that command... I may be doing it wrong.

I opened a windows command prompt, navigated to V:\ (the root mapping to which the folder is mapped on my Ubuntu server)

V:> "C:\Program Files (x86)\WinFsp\bin\fsptool-x64.exe" perm testfile.txt

There was no output to the terminal.

[billziss-gh]

I believe the command looks for a backslash (\) to determine that it should look for path permissions.

Try it like this:

V:> "C:\Program Files (x86)\WinFsp\bin\fsptool-x64.exe" perm .\testfile.txt

[dacowan]

Ah, that works.

O:SYG:SYD:P(A;;0x1f019f;;;SY)(A;;0x12018f;;;SY)(A;;FR;;;WD) (perm=18:18:0664)

[billziss-gh]

Ok, it is not clear why, but permissions are only given to the LocalSystem account and not your user.

Does the following (without the domain+localuser part) not work? By default it should detect the user that mounts the file system and give it proper permissions. This works if the user who executes the net use command is also the user granted access.

net use v: \\sshfs\remoteuser@remote.host.com

[dacowan]

OK, something different now. I disconnected the drive (net use v: /delete) and flushed the credentials from the Windows Credentials Manager. I reconnected without the local domain/user information. I was prompted for user/pass and I used the username and password for the remote Ubuntu machine.

fsptool reports O:S-1-0-65534G:DUD:P(A;;0x1f019f;;;S-1-0-65534)(A;;0x12018f;;;DU)(A;;FR;;;WD) (perm=65534:1049089:0664)

I still don't have write permissions, however.

[billziss-gh]

SSHFS-Win includes a small wrapper program that is supposed to correctly determine the user who is mounting the file system and launch SSHFS so that permissions are properly granted to that user. Clearly this program (sshfs-win.c) must be failing.

There may be something special about your domain that makes this getpasswd call fail.

An alternative might be to try to launch sshfs from the command line, where you have all its options available.

> C:\Program Files\SSHFS-Win\bin\sshfs.exe

The -o idmap=user option is often all that is needed to properly map the local to the remote user. Other options can be found in the SSHFS man page. [man sshfs]

[dacowan]

So, this is interesting... I think it may be something to do with the way the system is locked down by the domain admins -- or something related to user rights... I'm on a fairly tight corporate domain.

sshfs username@remotehost.com:/home/username v: -oidmap=user -onomap=ignore -d Could not create directory '/c/Program Files/SSHFS-Win/home/localusername/.ssh'. The authenticity of host 'remotehost (***.***.***.*** ip address removed)' can't be established. ECDSA key fingerprint is SHA256:<snip>. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/c/Program Files/SSHFS-Win/home/localusername/.ssh/known_hosts). username@remotehost.com's password: dup() in/out/err failed read: Connection reset by peer

I find it interesting that sshfs is trying to make a home directory below my bin folder - this has something to do with cygwin, I believe?

Does any of this help?

[tozachroberts]

This is a useful thread. I am having a similar, but not identical, issue with "Access is denied" errors. I can successfully mount, but cannot access anything (not read-only, nor read-write) on the mounted drive.

Using the fsptool, it looks like the local username mapping of sshfs-win.c is failing in my case as well.

`C:\WINDOWS\system32>whoami /user

USER INFORMATION

User Name SID ==================== =================================================== graycon_chi\zroberts S-1-12-1-1572753831-1209900123-1627014284-187873716`

C:\Program Files (x86)\WinFsp\bin>fsptool-x64.exe perm Z:\ O:S-1-5-1-0G:S-1-5-1-0D:P(A;;0x1f0198;;;S-1-5-1-0)(A;;0x120088;;;S-1-5-1-0)(A;;0x120088;;;WD) (perm=4096:4096:0000)

I am assuming that O:S-1-5-1-0 means that the drive is mounted as some local System user and clearly not my domain user with the S-1-12-1... id? Any thoughts on how to force a particular user to be the owner of a mount?

[dacowan]

OK, more info. I tried this same mapping from my personal machine at home to the Ubuntu host, and all works well. The fsp-tool correctly reports my local user GUID.

I suspect it's something to do with the way in which my account/PC has been locked down within the corporate domain.

I'm going to give it a go on my corporate laptop to see if there are any differences.

Oh... here's a thought - could this be something to do with the fact that I don't actually have CygWin installed? All of my bash/linux tools are coming from my "Git for Windows" install - including the 'ssh' executable.

When I run sshfs directly, with debug output enabled -- I get the following

`sshfs remoteuser@remotehost.com: v: -o idmap=user -o sshfs_debug -o nomap=error -d

SSHFS version 2.7 executing <-x> <-a> <-oClearAllForwardings=yes> <-2> remoteuser@remotehost.com <-s> remoteuser@remotehost.com's password: dup() in/out/err failed read: Connection reset by peer `

[dacowan]

Just tried this on my corporate laptop, and it's exactly the same.

I got a little further with using sshfs directly... I was missing some options.

sshfs remoteuser@remotehost.com: v: -o idmap=user -o sshfs_debug -o nomap=ignore -ofstypename=SSHFS -o Compression=no SSHFS version 2.7 remoteuser@remotehost.com's password: Server version: 3 Extension: posix-rename@openssh.com <1> Extension: statvfs@openssh.com <2> Extension: fstatvfs@openssh.com <2> Extension: hardlink@openssh.com <1> Extension: fsync@openssh.com <1>

It connected the drive correctly, but still the same user ID results

O:S-1-0-65534G:S-1-0-65534D:P(A;;0x1f019f;;;S-1-0-65534)(A;;0x12018f;;;S-1-0-65534)(A;;FR;;;WD) (perm=65534:65534:0664)

[dacowan]

More info...

I created a Windows VM behind the corporate network (same network/firewall rules) - but not joined to the domain (and therefore not beholden to the group policies of the domain)

Connecting using "net use" works just fine with default user mapping.

[billziss-gh]

@tozachroberts are you on a domain as well?

@dacowan thanks for the great troubleshooting. It is clear that the problem has something to do with the domain. Unfortunately it is hard to troubleshoot the reason without having access to the domain.

(Not all domain SID's can be translated into UNIX-like UID's for use with SSHFS and this may be the issue here.)

BTW, there is alternative approach. You can pass the option -o umask=000 to SSHFS which will make files read/write-able by everyone. This should allow you to use the file system, but it may not be what you ultimately want.

[tozachroberts]

@billziss-gh yes, I am running Win10 and it is attached to a corporate domain (GRAYCON_CHI). The only user I have is a domain user. I will try to create a local user and see if I get different results. I am pretty sure whatever my particular use case, it is failing the getpasswd() call that you've mentioned previously.

If there is anything else I can provide to help figure it out, let me know. My windows dev skills are almost non-existent, but I am quite familiar with the linux side as well as development, and happy to help.

[dacowan]

@billziss-gh If you can help me set up a dev environment, I'm happy to debug into it and see if we can sort this out.

[billziss-gh]

Setting up a dev environment for SSHFS-Win is not particularly hard. You will need:

• A Cygwin build environment (including gcc, autoconf, etc)
• The packages required by SSHFS. The fuse package is satisfied by installing WinFsp and the contained "FUSE for Cygwin". The glib and gthread packages are satisfied by the Cygwin glib package, installable via Cygwin setup.
• You will also need Wix to build the SSHFS-Win installer.
• To build SSHFS-Win simply:

  $ cd sshfs-win
  $ make

The Windows side of things is taken care by Cygwin and WinFsp, so you do not need to have any native Windows dev experience.

[dacowan]

Thanks Bill. Sorry for the delay. Now that I have a little time to get back to this -- I'm almost there, but when I try to run make, it's complaining about no 'fuse' package.

`mkdir -p .build/x64/status mkdir -p .build/x64/src git clone /cygdrive/d/_Projects/sshfs-win/sshfs .build/x64/src/sshfs Cloning into '.build/x64/src/sshfs'... done. Note: checking out 'a9a1cc004675f35df34c68f3e134c2194311943f'.

You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may do so (now or later) by using -b with the checkout command again. Example:

git checkout -b

touch .build/x64/status/clone cd .build/x64/src/sshfs && for f in /cygdrive/d/_Projects/sshfs-win/patches/*.patch; do patch -p1 <$f; done (Stripping trailing CRs from patch; use --binary to disable.) patching file configure.ac (Stripping trailing CRs from patch; use --binary to disable.) patching file sshfs.c (Stripping trailing CRs from patch; use --binary to disable.) patching file sshfs.c touch .build/x64/status/patch cd .build/x64/src/sshfs && autoreconf -i configure.ac:6: installing './compile' configure.ac:2: installing './config.guess' configure.ac:2: installing './config.sub' configure.ac:3: installing './install-sh' configure.ac:3: installing './missing' Makefile.am: installing './depcomp' touch .build/x64/status/reconf cd .build/x64/src/sshfs && ./configure checking build system type... x86_64-unknown-cygwin checking host system type... x86_64-unknown-cygwin checking target system type... x86_64-unknown-cygwin checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /usr/bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking whether make supports nested variables... yes checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.exe checking for suffix of executables... .exe checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking whether gcc understands -c and -o together... yes checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking for library containing dlsym... none required checking OpenSSH version... 7.7 >= 4.4, disabling NODELAY workaround checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking for SSHFS... no configure: error: Package requirements (fuse >= 2.3 glib-2.0 gthread-2.0) were not met:

No package 'fuse' found

Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix.

Alternatively, you may set the environment variables SSHFS_CFLAGS and SSHFS_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details. make: *** [Makefile:86: .build/x64/status/config] Error 1 `

[dacowan]

BTW... I put together a simple cygwin cmdline c program that just queried and printed the results of getpwnam, and it appeared to be working correctly - so I don't think it's failing in that. I'd know more if I could debug into sshfs-win.c

[billziss-gh]

Install “FUSE for Cygwin” by opening your Cygwin prompt, change to the /cygdrive/c/Program Files (x86)/WinFsp/opt/cygfuse directory and issue an sh ./install.sh command.

[jessicah]

@dacowan do you know if your domain is Windows AD, or a Samba domain? I'm running into the exact same issue. My machine was previously working whilst joined to a Windows AD domain, but I've since switched to a Samba 3.x based domain, and now things are broken.

I also noticed your winfsp output is similar to mine:

yours: O:S-1-0-65534G:DUD:P(A;;0x1f019f;;;S-1-0-65534)(A;;0x12018f;;;DU)(A;;FR;;;WD) (perm=65534:1049089:0664)
mine:  O:S-1-0-65534G:S-1-0-65534D:P(A;;FA;;;S-1-0-65534)(A;;0x1201ef;;;S-1-0-65534)(A;;0x1200a9;;;WD) (perm=65534:65534:0775)

And if I try fsptool-x86.exe id S-1-0-65534 I get the weird:

S-1-0-65534() (uid=65534)

So the SID is obviously bogus. id with other valid SIDs get translated correctly. So it seems like WinFSP is the problem, rather than SSHFS-Win?

[jessicah]

Rejoining the Windows AD domain, and the permissions are now working, and the fsptool output is better:

O:S-1-5-21-95318837-410984162-318601546-611467G:DUD:P(A;;FA;;;S-1-5-21-95318837-410984162-318601546-611467)(A;;0x1201ef;;;DU)(A;;0x1200a9;;;WD) (perm=1660043:1049089:0775)

And id S-1-5-21-95318837-410984162-318601546-611467 generating correct reverse lookup:

S-1-5-21-95318837-410984162-318601546-611467(MASSEY\jlhamilt) (uid=1660043)

@dacowan another possibility: is your login cross-domain? E.g. I was on SEAT domain, but logged in with MASSEY domain credentials.

[billziss-gh]

WinFsp supports Windows domains, but not trusted domains.

[rvwhitney]

Hello!
I just am testing this for my co-workers. I use sshfs for linux myself, which woks great. I am able to connect and load files with sshfs-win - when I try to save a file after editing, I get the Access Denied error. connecting this way: Is cygwin required? Thanks!

[billziss-gh]

@phpmydev

From a command prompt run the commands and report their output:

> C:\Program Files (x86)\WinFsp\bin\fsptool-x64.exe id FULL-PATH-TO-DIR
> cacls FULL-PATH-TO-DIR /S

Where FULL-PATH-TO-DIR is one of the directories you are trying to save in.

[rvwhitney]

Thanks for the response. Here is a screenshot:

[billziss-gh]

Sorry, my bad. The command to try uses perm and not id:

"C:\Program Files (x86)\WinFsp\bin\fsptool-x64.exe" perm Y:\kv

[rvwhitney]

here you go:

C:\Users\Richard Whitney>"C:\Program Files (x86)\WinFsp\bin\fsptool-x64.exe" perm Y:\kv
O:S-1-5-21-410817959-1723000825-2337116463-1001G:S-1-5-21-410817959-1723000825-2337116463-513
D:P(A;;FA;;;S-1-5-21-410817959-1723000825-2337116463-1001)(A;;0x1200a9;;;S-1-5-21-410817959-1723000825-2337116463-513)(A;;0x1200a9;;;WD) 
(perm=197609:197121:0755)

[billziss-gh]

This shows that the directory is owned by SID S-1-5-21-410817959-1723000825-2337116463-1001 (uid==197609) with full access rights.

What do you get if you now do fsptool-x64.exe id 197609? This user should be able to create files/directories, but other users should not be able to. Is this what you are experiencing?

[rvwhitney]

C:\Users\Richard Whitney>"C:\Program Files (x86)\WinFsp\bin\fsptool-x64.exe" id 197609 S-1-5-21-410817959-1723000825-2337116463-1001(DESKTOP-1EE2NF7\Richard Whitney) (uid=197609) What I am seeing is an inability to save a file after opening (existing file) I have not tried to create a file or dir from sshfs-win - I cannot create anything either

[rvwhitney]

fwiw, I also temporarily chmodded the files to 777

[billziss-gh]

So are you saying that the user Richard Whitney (i.e. you) that owns the directory cannot create a file in that directory using the regular (non-elevated) account?

If that is the case, the problem likely lies on the SSHFS server side of things rather than the Windows side of things. The Windows permissions that you are showing say that user Richard Whitney (and only that user) has the right to create files and directories in the directory \kv as far as Windows is concerned.

[rvwhitney]

the owner of the directory is pi on the remote machine - I apologize for any confusion. Am I doing something terribly wrong? Funny, when I connect to the share via linux client to lilnux server I need to authenticate to the sever - I thought I was doing that from Windows as well? I do appreciate your time and effort on this!

[billziss-gh]

• I am assuming that you use pi to sign into the SSHFS server? Is that correct?
  • If that is the case the Windows user Richard Whitney should be mapped to the SSHFS server user pi.
• What do you get the on the SSHFS server when you issue ls -l ./kv from a shell logged in as user pi?

[rvwhitney]

-rwxrwxrwx 1 pi pi 1160 Jun 26 2018 kv43.sh that's a snippet of it

[billziss-gh]

Actually I was looking for the permissions of the directory that maps to \kv on Windows. Please try the ./kv directory instead. Like so:

ls -ld ./kv

[rvwhitney]

drwxr-xr-x 6 pi pi 4096 Sep 13 14:48 kv - I see that it is not world or group writable this mode works for my linux connection

[billziss-gh]

Can you try id pi from the SSHFS server prompt and report the corresponding uid and gid?

The way this looks it should work for any user who is signed in as user pi on the SSHFS server.

[rvwhitney]

uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),999(spi),998(i2c),997(gpio) may I ask again: is cygwin required? I am hoping not.

[rvwhitney]

also, if you hadn't guessed, the sshfs server is a raspberry pi

[billziss-gh]

Cygwin is not required. A proper version is included with SSHFS-Win.

Off the top of my head I cannot think of an obvious reason for the "Access denied" messages after this little exercise. My only suggestion is to chmod the directory to 0777 and see if this fixes matters for you.

[rvwhitney]

chmod 777 kv did not make a difference

[maksteel]

https://github.com/billziss-gh/sshfs-win/issues/27#issuecomment-403560640

We've got trusted-domains setup at our workplace.. does that mean we would not be able to mount with correct permission? is there a work around?

[billziss-gh]

@maksteel unfortunately this is the case. I never got around to implementing support for trusted domain accounts to POSIX UID's:

https://github.com/billziss-gh/winfsp/blob/v1.5B4/src/ku/posix.c#L295-L336 https://github.com/billziss-gh/winfsp/blob/v1.5B4/src/ku/posix.c#L412-L440

is there a work around?

I have no good work around for the general case. But if your domains are setup "just right" it may work.

[Mqxx]

292 We have still a problem that we don't understand...

[chouzz]

Winfsp v1.8 could solve this problem. It's a bug of winfsp https://github.com/billziss-gh/winfsp/issues/381