granting SeSecurityPrivilege to user

[Jeremy Allison]

On Tue, Oct 19, 2010 at 05:34:35PM -0700, Nagaraj Shyam wrote:
> Hi,
> 
>  
> 
> I get the error NT_STATUS_PRIVILEGE_NOT_HELD - returned from the
> function create_file_unixpath() from the following block of code:
> 
>  
> 
> /* We need to support SeSecurityPrivilege for this. */
> 
>         if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
> 
>                 status = NT_STATUS_PRIVILEGE_NOT_HELD;
> 
>                 goto fail;
> 
>         }
> 
>  
> 
> This is while using samba 3.5.3 on suse linux and trying to migrate
> files from a windows machine to samba share.   SeSecurityPrivelege is
> not one of the recognized/supported privileges for it to be granted to
> the user.

How are you doing the copy ? Are you using a Windows tool to
copy from the Windows to Samba share ? Currently we refuse file
opens with an access mask that would require SeSecurityPrivilege
(as you can see) and expect the client to retry without the
SEC_FLAG_SYSTEM_SECURITY set. MS-Office will do this, so
I'm interested in seeing what tool fails here.

> net rpc share migrate files also seems to have issues copying folders
> from the windows share if any acl is present on a directory that has a
> ACE with "deny everyone else rule", the migrate prints the error:
> 
>  
> 
> could not handle dir \foldername: NT_STATUS_ACCESS_DENIED
> 
> I used the above command with --acls --attrs -timestamps option.
> 
>  
> 
> thanks for any info on how to workaround acl/ea these issues during file
> migration.

What ACL setting do you have on Samba server ? I'm guessing this
is a problem with mapping the DENY ACL into POSIX ACLs. My recent
jumbo-patch would fix this (still working on getting it back-ported
to 3.5.x, keep getting hit by other bugs first :-).

Jeremy.