[Samba] Can't modify ms word files with samba 3.3

François Legal devel at thom.fr.eu.org
Wed Feb 25 23:26:52 GMT 2009 

> Ok, looking in the log I've found the problem. The application
> is asking for an access mask of 0x1020000, which maps to
> 
> READ_CONTROL_ACCESS (which we grant) and SEC_RIGHT_SYSTEM_SECURITY
> (ie. access to the system security ACL - the audit ACL) on the
> file.
> 
> From this page: 
> 
> http://msdn.microsoft.com/en-us/library/aa379321(VS.85).aspx
> 
> "SACL Access Right
> 
> The ACCESS_SYSTEM_SECURITY access right controls the ability to get or
set
> the SACL in an object's security descriptor. The system grants this
access
> right only if the SE_SECURITY_NAME privilege is enabled in the access
token
> of the requesting thread."
> 
> We do not support the SE_SECURITY_NAME privilege and don't
> allow setting SACLs (we don't support them).
> 
> Someone else has already raised this previously. Do your
> users have the SE_SECURITY_NAME privilege in their local
> tokens (ie. are they allowed to set SACLs on their local
> filesystem). Does this happen to non-privileged users ?
> 
> A suggestion has been made to ignore the SEC_RIGHT_SYSTEM_SECURITY
> request (just mask it out) for filesystem access while
> we don't support SACLs, but I'm concerned as to why the
> application is trying to request it ?
> 
> Jeremy.

To be honnest, I did not really understand what SACL is. Are you talking
about file and directories ACLs ?

How do I know if my users have the SE_SECURITY_NAME  priviledge. My users
(especially the one who is accessing the file in the log) are normal users
without any specific priviledge (not even doamin admins nor local
workstation admin). However, they're not prevented from setting files and
directories ACLs neither on local nor network drives (they're welcome to as
our filesystems are XFS).

About the application requesting something specific, I don't know. The
file was created with that same version of MS Word (2007) by that same user
(the one trying to modify it as in the log) but with another samba version
(one of 3.2.0 3.2.2 or 3.2.4)

Where should I go from here?

Thank youfor helping

François

More information about the samba mailing list