granting SeSecurityPrivilege to user

Andrew Bartlett abartlet at samba.org
Tue Oct 19 19:09:42 MDT 2010 

On Tue, 2010-10-19 at 17:44 -0700, Jeremy Allison wrote:
> On Tue, Oct 19, 2010 at 05:34:35PM -0700, Nagaraj Shyam wrote:
> > Hi,
> > 
> >  
> > 
> > I get the error NT_STATUS_PRIVILEGE_NOT_HELD - returned from the
> > function create_file_unixpath() from the following block of code:
> > 
> >  
> > 
> > /* We need to support SeSecurityPrivilege for this. */
> > 
> >         if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
> > 
> >                 status = NT_STATUS_PRIVILEGE_NOT_HELD;
> > 
> >                 goto fail;
> > 
> >         }
> > 
> >  
> > 
> > This is while using samba 3.5.3 on suse linux and trying to migrate
> > files from a windows machine to samba share.   SeSecurityPrivelege is
> > not one of the recognized/supported privileges for it to be granted to
> > the user.
> 
> How are you doing the copy ? Are you using a Windows tool to
> copy from the Windows to Samba share ? Currently we refuse file
> opens with an access mask that would require SeSecurityPrivilege
> (as you can see) and expect the client to retry without the
> SEC_FLAG_SYSTEM_SECURITY set. MS-Office will do this, so
> I'm interested in seeing what tool fails here.

I just wanted to note that in my recent libcli/security merges in
master, that the SeSecurityPrivilage can be easily made available in the
source3 code in master.  The only barrier is that currently the code
artificially limits the list of privileges in 'net rights' and LSA to
preserve the previous behaviour. 

There is also an #ifdef which controls this behaviour in
libcli/security/access_check.c that you may wish to consider at the same
time.  (We took care not to change the s3 behaviour here when we did the
merge). 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101020/929d3932/attachment.pgp>

More information about the samba-technical mailing list