Steve Tice stic6021 at gmail.com
Tue Dec 18 11:24:04 MST 2012

Can anybody provide the expected response to an SMB2 CREATE request that
includes ACCESS_SYSTEM_SECURITY in the DesiredAccess mask? I’m particularly
interested in cases where the SMB client is connected as an authenticated
user with administrative (superuser) privileges on the share, and has made
the request on a directory. Should such a client expect full (read/change)
access to the SACL (under any conditions)?

The question above is theoretical in nature. Practically speaking, does any
version of the Samba server respond correctly to the request described
above? I have a Windows application that makes such a request, and have
tested it against Samba server versions 3.5.10-125.el6 and 3.6.7. I keep
seeing a response of NT_STATUS_PRIVILEGE_NOT_HELD, and think that's not the
correct response when the client has superuser privileges - but perhaps my
expectation is wrong. If I make the same request while connected to a share
on a Windows server, the response is NT_STATUS_OK.

Is there a Samba server configuration change I could make that would affect
the behavior? Is there any setup work to do prior to sending the SMB2
CREATE request (for example, adding a privilege)?

Steve Tice
stic6021 at gmail.com <stic6021 at yahoo.com>

More information about the samba mailing list