granting SeSecurityPrivilege to user

Nagaraj Shyam Nagaraj_Shyam at symantec.com
Wed Oct 20 11:40:18 MDT 2010


I tried migration from the windows client side as well as from the samba
server side.

>How are you doing the copy ? Are you using a Windows tool to
>copy from the Windows to Samba share ? Currently we refuse file
>opens with an access mask that would require SeSecurityPrivilege
>(as you can see) and expect the client to retry without the
>SEC_FLAG_SYSTEM_SECURITY set. MS-Office will do this, so
>I'm interested in seeing what tool fails here.


I first used robocopy from a w23k r2 windows client, with command line
arguments:

robocopy srcdir destdir /B /COPYALL

destdir is actually a folder on the samba share.  I am running the
command while logged in as domain administrator on the windows client.

strangely, robocopy retries the directory creation attempts - from the
traces, most of the directories are migrated correctly, however the
regular file create attempts are not retried upon the above failure.
Obviously ms-office does things differently.
The actual error I see on the robocopy side is:
"2010/10/19 15:45:23 ERROR 1314 (0x00000522) Copying NTFS Security to
Destination Directory ... A required privilege is not held by the
client. "

>> net rpc share migrate files also seems to have issues copying folders
>> from the windows share if any acl is present on a directory that has
a
>> ACE with "deny everyone else rule", the migrate prints the error:
>> 
>>  
>> 
>> could not handle dir \foldername: NT_STATUS_ACCESS_DENIED
>> 
>> I used the above command with --acls --attrs -timestamps option.

>What ACL setting do you have on Samba server ?

For the migration attempt from samba server side, following are some
additional details:
The samba share is empty before the migration attempt, and the top
directory has 0777 as the permissions bit, i.e. everyone is allowed full
access (this is just during the migrate).  So, there is no specific
windows ACL set on the top level folder on the samba side.  On the
windows side, the top level folder (source dir) has "everyone full
access".  The NT_STATUS_ACCESS_DENIED error is when the "net rpc migrate
..." utility attempts to access one of the windows source directory that
has a "deny everyone else ACE".  I am running the command with -U
domainadmin%password option, complete command line looks as follows:

net rpc share migrate -U domainname\\administrator%password files  -S
serverip --destination=localhost --acls --attrs --timestamps

>I'm guessing this
>is a problem with mapping the DENY ACL into POSIX ACLs. My recent
>jumbo-patch would fix this (still working on getting it back-ported
>to 3.5.x, keep getting hit by other bugs first :-).

Your patch will definitely help with some of the issues with robocopy
migration (the net rpc migrate problem seems to be totally different).
There seem to be a couple of different issues with robocopy migration:

1. windows acl gets modified during the directory migration to samba
share.
2. regular files that get the NT_STATUS_PRIVILEGE_NOT_HELD error.

#1 will most definitely be fixed with your patch.  #2 might need the
additional change suggested by Andrew.


-s




More information about the samba-technical mailing list