Jeremy Allison jra at samba.org
Wed Dec 26 17:22:46 MST 2012

On Tue, Dec 18, 2012 at 12:24:04PM -0600, Steve Tice wrote:
> Can anybody provide the expected response to an SMB2 CREATE request that
> includes ACCESS_SYSTEM_SECURITY in the DesiredAccess mask? I’m particularly
> interested in cases where the SMB client is connected as an authenticated
> user with administrative (superuser) privileges on the share, and has made
> the request on a directory. Should such a client expect full (read/change)
> access to the SACL (under any conditions)?
> The question above is theoretical in nature. Practically speaking, does any
> version of the Samba server respond correctly to the request described
> above? I have a Windows application that makes such a request, and have
> tested it against Samba server versions 3.5.10-125.el6 and 3.6.7. I keep
> seeing a response of NT_STATUS_PRIVILEGE_NOT_HELD, and think that's not the
> correct response when the client has superuser privileges - but perhaps my
> expectation is wrong. If I make the same request while connected to a share
> on a Windows server, the response is NT_STATUS_OK.
> Is there a Samba server configuration change I could make that would affect
> the behavior? Is there any setup work to do prior to sending the SMB2
> CREATE request (for example, adding a privilege)?

You need to give the connected user the SeSecurity privilege.


More information about the samba mailing list