[Samba] Can't modify ms word files with samba 3.3

[Jeremy Allison]

On Tue, Feb 24, 2009 at 09:33:56PM +0100, François Legal wrote:
> 
> 
> Hello, 
> I tried this week to upgrade my samba 3.2.4 (2 PDCs one trusting the
> other) to samba 3.3.0 then samba 3.3.1, and apart from the problem
> with winbindd and trusted domain, my users are not able to modify any
> ms word document (excel does the same). 
> 
> You can open the file correctly, modify it, and when saving it, it
> pops up "Access denied" 
> 
> If you try to save the file in the same directory with another name,
> it does not work either (sam "access denied" message). 
> I tried to set og level to 10, but could not find anything pointing
> me to the right direction. 
> Can anybody help ? 

Ok, looking in the log I've found the problem. The application
is asking for an access mask of 0x1020000, which maps to

READ_CONTROL_ACCESS (which we grant) and SEC_RIGHT_SYSTEM_SECURITY
(ie. access to the system security ACL - the audit ACL) on the
file.

>From this page: 

http://msdn.microsoft.com/en-us/library/aa379321(VS.85).aspx

"SACL Access Right

The ACCESS_SYSTEM_SECURITY access right controls the ability to get or set the SACL in an object's security descriptor. The system grants this access right only if the SE_SECURITY_NAME privilege is enabled in the access token of the requesting thread."

We do not support the SE_SECURITY_NAME privilege and don't
allow setting SACLs (we don't support them).

Someone else has already raised this previously. Do your
users have the SE_SECURITY_NAME privilege in their local
tokens (ie. are they allowed to set SACLs on their local
filesystem). Does this happen to non-privileged users ?

A suggestion has been made to ignore the SEC_RIGHT_SYSTEM_SECURITY
request (just mask it out) for filesystem access while
we don't support SACLs, but I'm concerned as to why the
application is trying to request it ?

Jeremy.