granting SeSecurityPrivilege to user

Jeremy Allison jra at
Wed Oct 20 15:25:34 MDT 2010

On Wed, Oct 20, 2010 at 10:40:18AM -0700, Nagaraj Shyam wrote:
> I tried migration from the windows client side as well as from the samba
> server side.
> >How are you doing the copy ? Are you using a Windows tool to
> >copy from the Windows to Samba share ? Currently we refuse file
> >opens with an access mask that would require SeSecurityPrivilege
> >(as you can see) and expect the client to retry without the
> >SEC_FLAG_SYSTEM_SECURITY set. MS-Office will do this, so
> >I'm interested in seeing what tool fails here.
> I first used robocopy from a w23k r2 windows client, with command line
> arguments:
> robocopy srcdir destdir /B /COPYALL
> destdir is actually a folder on the samba share.  I am running the
> command while logged in as domain administrator on the windows client.
> strangely, robocopy retries the directory creation attempts - from the
> traces, most of the directories are migrated correctly, however the
> regular file create attempts are not retried upon the above failure.
> Obviously ms-office does things differently.
> The actual error I see on the robocopy side is:
> "2010/10/19 15:45:23 ERROR 1314 (0x00000522) Copying NTFS Security to
> Destination Directory ... A required privilege is not held by the
> client. "

Checking into the command line args for ROBOCOPY it says:

/COPY:copyflag[s] :: what to COPY for files (default is /COPY:DAT).
(copyflags : D=Data, A=Attributes, T=Timestamps).
(S=Security=NTFS ACLs, O=Owner info, U=aUditing info).

/COPYALL :: COPY ALL file info (equivalent to /COPY:DATSOU).

Try /COPY:DATSO instead of /COPYALL. That should not copy
the U=aUditing info (which we're not using currently anyway).


More information about the samba-technical mailing list