[Samba] Can't modify ms word files with samba 3.3

Jeremy Allison jra at samba.org
Thu Mar 5 00:20:11 GMT 2009 

On Wed, Mar 04, 2009 at 08:47:25AM +0100, Olivier Doremieux wrote:
> Hello,
>
> I have the same problem with samba 3.3.0 and 3.3.1. I use to be able to  
> edit some MS Word file on a shared network.
> What should I do to fix this problem? Is there a way to change some  
> config file?

Ok, I think I have a good fix for this. The key is to properly
cause smbd to return NT_STATUS_PRIVILEGE_NOT_HELD and get
the client to fallback when it's asking for SEC_RIGHT_SYSTEM_SECURITY
(security ACL audit access) which we don't currently support.

Can you please apply this patch on top of 3.3.1 and see if
it fixes the problem ?

This supercedes my previous patch, which didn't work
as it would only cause NT_STATUS_PRIVILEGE_NOT_HELD to
be returned on status opens, not all opens.

Thanks,

Jeremy.
-------------- next part --------------
diff --git a/source/smbd/open.c b/source/smbd/open.c
index 9b51ff0..ee730c7 100644
--- a/source/smbd/open.c
+++ b/source/smbd/open.c
@@ -2382,6 +2382,14 @@ NTSTATUS open_directory(connection_struct *conn,
 		return status;
 	}
 
+	/* We need to support SeSecurityPrivilege for this. */
+	if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+		DEBUG(10, ("open_directory: open on %s "
+			"failed - SEC_RIGHT_SYSTEM_SECURITY denied.\n",
+			fname));
+		return NT_STATUS_PRIVILEGE_NOT_HELD;
+	}
+
 	switch( create_disposition ) {
 		case FILE_OPEN:
 
@@ -2915,8 +2923,23 @@ NTSTATUS create_file_unixpath(connection_struct *conn,
 		status = NT_STATUS_PRIVILEGE_NOT_HELD;
 		goto fail;
 	}
+#else
+	/* We need to support SeSecurityPrivilege for this. */
+	if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+		status = NT_STATUS_PRIVILEGE_NOT_HELD;
+		goto fail;
+	}
+	/* Don't allow a SACL set from an NTtrans create until we
+	 * support SeSecurityPrivilege. */
+	if (!VALID_STAT(sbuf) &&
+			lp_nt_acl_support(SNUM(conn)) &&
+			sd && (sd->sacl != NULL)) {
+		status = NT_STATUS_PRIVILEGE_NOT_HELD;
+		goto fail;
+	}
 #endif
 
+
 	if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
 	    && is_ntfs_stream_name(fname)
 	    && (!(create_options & NTCREATEX_OPTIONS_PRIVATE_STREAM_DELETE))) {

More information about the samba mailing list