more rpcclient bughunting: PRINTER_ALL_ACCESS vs MAXIMUM_ALLOWED_ACCESS

Ronan Waide waider at waider.ie
Wed Mar 5 12:28:12 GMT 2003 

On March 5, tpot at samba.org said:
> 
> I've checked in a fix.  It's odd that MAXIMUM_ALLOWED_ACCESS doesn't
> do what it's supposed to in this case.  Are you running the setdriver
> against a NT or Samba server?

Running against Samba HEAD, but just one sec...

Right, here's the summary of what I've found:

Samba HEAD -> Samba HEAD (rpcclient setdriver)
* Asking for Maximum allowed access doesn't give you printer admin
  rights

Samba HEAD -> NT4 SP6 (rpcclient setdriver)
* Asking for Maximum allowed access /does/ give you printer admin
  rights, even though the printer admin bitfield isn't set.

NT4 SP6 to Samba HEAD (Opening the Printers folder)
* First request is for
  Write Owner | Write DAC | Read Control | Delete
  Server Enum | Server Admin

* Second request appears to be the same in terms of requested access;
  something else might differ, but nothing immediately obvious.

* Third request asks for
  Read Control
  Server Enum

I set up a Printer Operator account to test this with, and it
succeeded on the first request (Server Admin), as does a Domain
Admin account. Finally, I removed the Printer Operator account from
"Printer Operators" but left it in "printer admins" on the samba
server, and it still succeeded at the first request. So I'm not sure
when the Printer Admin bit gets used, but it's not when you open the
Printers folder.

I don't right now have an easy way to test NT<->NT /and/ capture the
bits; however, I think it's obvious from the above that Samba should
be responding to a MAXIMUM_ALLOWED_ACCESS request with
PRINTER_ACCESS_ADMINISTER rights. As it stands, it's going to get
punted:

srv_spoolss_nt.c:1577
======================================================================
		/* Deny any object specific bits that don't apply to print
		   servers (i.e printer and job specific bits) */

		printer_default->access_required &= SPECIFIC_RIGHTS_MASK;

		if (printer_default->access_required &
		    ~(SERVER_ACCESS_ADMINISTER | SERVER_ACCESS_ENUMERATE)) {
			DEBUG(3, ("access DENIED for non-printserver bits"));
			close_printer_handle(p, handle);
			return WERR_ACCESS_DENIED;
		}
======================================================================

Cheers,
Waider.
-- 
waider at waider.ie / Yes, it /is/ very personal of me.

"Your broker is a half-naked blue-and-orange crypto-anarchist?"
                              - Neal Stephenson / The Great Simoleon Caper

More information about the samba-technical mailing list