smbcacls with -P option fails with NT_STATUS_INVALID_OWNER

Shilpa K shilpa.krishnareddy at
Tue Mar 24 04:10:18 MDT 2015


In a member server configuration, we had added the machine account to
"admin users" parameter in the SMB.CONF file. Afterwards, when we executed
smbcacls with -P option to change owner/ set ACLs, it failed with
After investigation, we found that the user needed restore privilege in
order to change owner. This is in Samba 3.6+ version. As a simple fix, we
thought of not checking for restore privilege when the SMBD process is
running in root context. Another option that we had was to port fix from
4.* code which does not check for restore privilege provided the user
has SEC_STD_WRITE_DAC/SEC_STD_WRITE_OWNER access. So, we pulled out the
changes present in the routine set_sd() in nttrans.c file. To be certain
that we do not run into any regression, we wanted to understand why restore
privilege check is not required when changing owner. I tried searching for
a related bug in bugzilla but could not find one. So, posting this query
here. Can you please explain why restore privilege check is not required
while changing owner as long as the user has


More information about the samba-technical mailing list