sshfs-win
sshfs-win copied to clipboard
winfsp
Mounting an Ubuntu FS onto a Windows Host - Access Denied
I'm attempting to mount my Ubuntu system on to my Windows 10 machine. I have installed WinFSP and SSHFS-Win I have my authorized_keys set up on my remote machine with my public/private key combo and my .ssh/config is set up (I realize that this option still doesn't work - judging from the open issues list) I'm attempting to mount the file system using the form:
net use v: \sshfs\[email protected]
I am prompted for my user/password for 'sshfs' - which I enter interactively.
The share is mounted correctly and I can read/browse -- but I cannot write to it. "Access is denied"
Any suggestions? (I really want this to work - this would cut hours per week off my work pipeline)
Does remoteuser have write permissions on the served directories/files?
Yes. At least, he should have - mounting without a remote path appears to mount at the root of the remoteusers home folder.
@dacowan can you run the command
> "C:\Program Files (x86)\WinFsp\bin\fsptool-x64.exe" perm FILE
where FILE is one of the files/directories that you cannot write?
I'm not clear on the format of that command... I may be doing it wrong.
I opened a windows command prompt, navigated to V:\ (the root mapping to which the folder is mapped on my Ubuntu server)
V:> "C:\Program Files (x86)\WinFsp\bin\fsptool-x64.exe" perm testfile.txt
There was no output to the terminal.
I believe the command looks for a backslash (\) to determine that it should look for path permissions.
Try it like this:
V:> "C:\Program Files (x86)\WinFsp\bin\fsptool-x64.exe" perm .\testfile.txt
Ah, that works.
O:SYG:SYD:P(A;;0x1f019f;;;SY)(A;;0x12018f;;;SY)(A;;FR;;;WD) (perm=18:18:0664)
Ok, it is not clear why, but permissions are only given to the LocalSystem account and not your user.
Does the following (without the domain+localuser part) not work? By default it should detect the user that mounts the file system and give it proper permissions. This works if the user who executes the net use command is also the user granted access.
net use v: \\sshfs\[email protected]
OK, something different now. I disconnected the drive (net use v: /delete) and flushed the credentials from the Windows Credentials Manager. I reconnected without the local domain/user information. I was prompted for user/pass and I used the username and password for the remote Ubuntu machine.
fsptool reports O:S-1-0-65534G:DUD:P(A;;0x1f019f;;;S-1-0-65534)(A;;0x12018f;;;DU)(A;;FR;;;WD) (perm=65534:1049089:0664)
I still don't have write permissions, however.
SSHFS-Win includes a small wrapper program that is supposed to correctly determine the user who is mounting the file system and launch SSHFS so that permissions are properly granted to that user. Clearly this program (sshfs-win.c) must be failing.
There may be something special about your domain that makes this getpasswd call fail.
An alternative might be to try to launch sshfs from the command line, where you have all its options available.
> C:\Program Files\SSHFS-Win\bin\sshfs.exe
The -o idmap=user option is often all that is needed to properly map the local to the remote user. Other options can be found in the SSHFS man page. [man sshfs]
So, this is interesting... I think it may be something to do with the way the system is locked down by the domain admins -- or something related to user rights... I'm on a fairly tight corporate domain.
sshfs [email protected]:/home/username v: -oidmap=user -onomap=ignore -d Could not create directory '/c/Program Files/SSHFS-Win/home/localusername/.ssh'. The authenticity of host 'remotehost (***.***.***.*** ip address removed)' can't be established. ECDSA key fingerprint is SHA256:<snip>. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/c/Program Files/SSHFS-Win/home/localusername/.ssh/known_hosts). [email protected]'s password: dup() in/out/err failed read: Connection reset by peer
I find it interesting that sshfs is trying to make a home directory below my bin folder - this has something to do with cygwin, I believe?
Does any of this help?
This is a useful thread. I am having a similar, but not identical, issue with "Access is denied" errors. I can successfully mount, but cannot access anything (not read-only, nor read-write) on the mounted drive.
Using the fsptool, it looks like the local username mapping of sshfs-win.c is failing in my case as well.
`C:\WINDOWS\system32>whoami /user
USER INFORMATION
User Name SID ==================== =================================================== graycon_chi\zroberts S-1-12-1-1572753831-1209900123-1627014284-187873716`
C:\Program Files (x86)\WinFsp\bin>fsptool-x64.exe perm Z:\ O:S-1-5-1-0G:S-1-5-1-0D:P(A;;0x1f0198;;;S-1-5-1-0)(A;;0x120088;;;S-1-5-1-0)(A;;0x120088;;;WD) (perm=4096:4096:0000)
I am assuming that O:S-1-5-1-0 means that the drive is mounted as some local System user and clearly not my domain user with the S-1-12-1... id? Any thoughts on how to force a particular user to be the owner of a mount?
OK, more info. I tried this same mapping from my personal machine at home to the Ubuntu host, and all works well. The fsp-tool correctly reports my local user GUID.
I suspect it's something to do with the way in which my account/PC has been locked down within the corporate domain.
I'm going to give it a go on my corporate laptop to see if there are any differences.
Oh... here's a thought - could this be something to do with the fact that I don't actually have CygWin installed? All of my bash/linux tools are coming from my "Git for Windows" install - including the 'ssh' executable.
When I run sshfs directly, with debug output enabled -- I get the following
`sshfs [email protected]: v: -o idmap=user -o sshfs_debug -o nomap=error -d
SSHFS version 2.7
executing
Just tried this on my corporate laptop, and it's exactly the same.
I got a little further with using sshfs directly... I was missing some options.
sshfs [email protected]: v: -o idmap=user -o sshfs_debug -o nomap=ignore -ofstypename=SSHFS -o Compression=no SSHFS version 2.7 [email protected]'s password: Server version: 3 Extension: [email protected] <1> Extension: [email protected] <2> Extension: [email protected] <2> Extension: [email protected] <1> Extension: [email protected] <1>
It connected the drive correctly, but still the same user ID results
O:S-1-0-65534G:S-1-0-65534D:P(A;;0x1f019f;;;S-1-0-65534)(A;;0x12018f;;;S-1-0-65534)(A;;FR;;;WD) (perm=65534:65534:0664)
More info...
I created a Windows VM behind the corporate network (same network/firewall rules) - but not joined to the domain (and therefore not beholden to the group policies of the domain)
Connecting using "net use" works just fine with default user mapping.
@tozachroberts are you on a domain as well?
@dacowan thanks for the great troubleshooting. It is clear that the problem has something to do with the domain. Unfortunately it is hard to troubleshoot the reason without having access to the domain.
(Not all domain SID's can be translated into UNIX-like UID's for use with SSHFS and this may be the issue here.)
BTW, there is alternative approach. You can pass the option -o umask=000 to SSHFS which will make files read/write-able by everyone. This should allow you to use the file system, but it may not be what you ultimately want.
@billziss-gh yes, I am running Win10 and it is attached to a corporate domain (GRAYCON_CHI). The only user I have is a domain user. I will try to create a local user and see if I get different results. I am pretty sure whatever my particular use case, it is failing the getpasswd() call that you've mentioned previously.
If there is anything else I can provide to help figure it out, let me know. My windows dev skills are almost non-existent, but I am quite familiar with the linux side as well as development, and happy to help.
@billziss-gh If you can help me set up a dev environment, I'm happy to debug into it and see if we can sort this out.
Setting up a dev environment for SSHFS-Win is not particularly hard. You will need:
- A Cygwin build environment (including gcc, autoconf, etc)
- The packages required by SSHFS. The
fusepackage is satisfied by installing WinFsp and the contained "FUSE for Cygwin". Theglibandgthreadpackages are satisfied by the Cygwinglibpackage, installable via Cygwin setup. - You will also need Wix to build the SSHFS-Win installer.
- To build SSHFS-Win simply:
$ cd sshfs-win $ make
The Windows side of things is taken care by Cygwin and WinFsp, so you do not need to have any native Windows dev experience.
Thanks Bill. Sorry for the delay. Now that I have a little time to get back to this -- I'm almost there, but when I try to run make, it's complaining about no 'fuse' package.
`mkdir -p .build/x64/status mkdir -p .build/x64/src git clone /cygdrive/d/_Projects/sshfs-win/sshfs .build/x64/src/sshfs Cloning into '.build/x64/src/sshfs'... done. Note: checking out 'a9a1cc004675f35df34c68f3e134c2194311943f'.
You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by performing another checkout.
If you want to create a new branch to retain commits you create, you may do so (now or later) by using -b with the checkout command again. Example:
git checkout -b
touch .build/x64/status/clone cd .build/x64/src/sshfs && for f in /cygdrive/d/_Projects/sshfs-win/patches/*.patch; do patch -p1 <$f; done (Stripping trailing CRs from patch; use --binary to disable.) patching file configure.ac (Stripping trailing CRs from patch; use --binary to disable.) patching file sshfs.c (Stripping trailing CRs from patch; use --binary to disable.) patching file sshfs.c touch .build/x64/status/patch cd .build/x64/src/sshfs && autoreconf -i configure.ac:6: installing './compile' configure.ac:2: installing './config.guess' configure.ac:2: installing './config.sub' configure.ac:3: installing './install-sh' configure.ac:3: installing './missing' Makefile.am: installing './depcomp' touch .build/x64/status/reconf cd .build/x64/src/sshfs && ./configure checking build system type... x86_64-unknown-cygwin checking host system type... x86_64-unknown-cygwin checking target system type... x86_64-unknown-cygwin checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /usr/bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking whether make supports nested variables... yes checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.exe checking for suffix of executables... .exe checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking whether gcc understands -c and -o together... yes checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking for library containing dlsym... none required checking OpenSSH version... 7.7 >= 4.4, disabling NODELAY workaround checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking for SSHFS... no configure: error: Package requirements (fuse >= 2.3 glib-2.0 gthread-2.0) were not met:
No package 'fuse' found
Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix.
Alternatively, you may set the environment variables SSHFS_CFLAGS and SSHFS_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details. make: *** [Makefile:86: .build/x64/status/config] Error 1 `
BTW... I put together a simple cygwin cmdline c program that just queried and printed the results of getpwnam, and it appeared to be working correctly - so I don't think it's failing in that. I'd know more if I could debug into sshfs-win.c
Install “FUSE for Cygwin” by opening your Cygwin prompt, change to the /cygdrive/c/Program Files (x86)/WinFsp/opt/cygfuse directory and issue an sh ./install.sh command.
@dacowan do you know if your domain is Windows AD, or a Samba domain? I'm running into the exact same issue. My machine was previously working whilst joined to a Windows AD domain, but I've since switched to a Samba 3.x based domain, and now things are broken.
I also noticed your winfsp output is similar to mine:
yours: O:S-1-0-65534G:DUD:P(A;;0x1f019f;;;S-1-0-65534)(A;;0x12018f;;;DU)(A;;FR;;;WD) (perm=65534:1049089:0664)
mine: O:S-1-0-65534G:S-1-0-65534D:P(A;;FA;;;S-1-0-65534)(A;;0x1201ef;;;S-1-0-65534)(A;;0x1200a9;;;WD) (perm=65534:65534:0775)
And if I try fsptool-x86.exe id S-1-0-65534 I get the weird:
S-1-0-65534() (uid=65534)
So the SID is obviously bogus. id with other valid SIDs get translated correctly. So it seems like WinFSP is the problem, rather than SSHFS-Win?
Rejoining the Windows AD domain, and the permissions are now working, and the fsptool output is better:
O:S-1-5-21-95318837-410984162-318601546-611467G:DUD:P(A;;FA;;;S-1-5-21-95318837-410984162-318601546-611467)(A;;0x1201ef;;;DU)(A;;0x1200a9;;;WD) (perm=1660043:1049089:0775)
And id S-1-5-21-95318837-410984162-318601546-611467 generating correct reverse lookup:
S-1-5-21-95318837-410984162-318601546-611467(MASSEY\jlhamilt) (uid=1660043)
@dacowan another possibility: is your login cross-domain? E.g. I was on SEAT domain, but logged in with MASSEY domain credentials.
Hello!
I just am testing this for my co-workers. I use sshfs for linux myself, which woks great.
I am able to connect and load files with sshfs-win - when I try to save a file after editing, I get the Access Denied error.
connecting this way:
Is cygwin required?
Thanks!
@phpmydev
From a command prompt run the commands and report their output:
> C:\Program Files (x86)\WinFsp\bin\fsptool-x64.exe id FULL-PATH-TO-DIR
> cacls FULL-PATH-TO-DIR /S
Where FULL-PATH-TO-DIR is one of the directories you are trying to save in.
Sorry, my bad. The command to try uses perm and not id:
"C:\Program Files (x86)\WinFsp\bin\fsptool-x64.exe" perm Y:\kv
here you go:
C:\Users\Richard Whitney>"C:\Program Files (x86)\WinFsp\bin\fsptool-x64.exe" perm Y:\kv
O:S-1-5-21-410817959-1723000825-2337116463-1001G:S-1-5-21-410817959-1723000825-2337116463-513
D:P(A;;FA;;;S-1-5-21-410817959-1723000825-2337116463-1001)(A;;0x1200a9;;;S-1-5-21-410817959-1723000825-2337116463-513)(A;;0x1200a9;;;WD)
(perm=197609:197121:0755)
This shows that the directory is owned by SID S-1-5-21-410817959-1723000825-2337116463-1001 (uid==197609) with full access rights.
What do you get if you now do fsptool-x64.exe id 197609? This user should be able to create files/directories, but other users should not be able to. Is this what you are experiencing?