smbcacls with -P option fails with NT_STATUS_INVALID_OWNER

[Richard Sharpe]

On Tue, Mar 24, 2015 at 3:10 AM, Shilpa K <shilpa.krishnareddy at gmail.com> wrote:
> Hello,
>
> In a member server configuration, we had added the machine account to
> "admin users" parameter in the SMB.CONF file. Afterwards, when we executed
> smbcacls with -P option to change owner/ set ACLs, it failed with
> NT_STATUS_INVALID_OWNER.
> After investigation, we found that the user needed restore privilege in
> order to change owner. This is in Samba 3.6+ version. As a simple fix, we
> thought of not checking for restore privilege when the SMBD process is
> running in root context. Another option that we had was to port fix from
> 4.* code which does not check for restore privilege provided the user
> has SEC_STD_WRITE_DAC/SEC_STD_WRITE_OWNER access. So, we pulled out the
> changes present in the routine set_sd() in nttrans.c file. To be certain
> that we do not run into any regression, we wanted to understand why restore
> privilege check is not required when changing owner. I tried searching for
> a related bug in bugzilla but could not find one. So, posting this query
> here. Can you please explain why restore privilege check is not required
> while changing owner as long as the user has
> SEC_STD_WRITE_DAC/SEC_STD_WRITE_OWNER?

Well, SeRestorePrivilege is not needed if a user explicitly has
WRITE_OWNER, although in your case that does not apply since I imagine
that the machine account is not mentioned in the DACL.

SeRestorePrivilege is only needed in cases where the account is a
backup/restore account that is unlikely to be mentioned in the DACL.

I suspect to correct way to handle the semantics you want is to give
admin users the privs you want (SeRestorePrivilege), but I don't think
Samba 3.6.x handles that correctly..

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)