[Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set

Tom Lee tlee2951 at gmail.com
Fri Feb 24 09:00:36 MST 2012


I've been trying to run a .NET app on Windows 2008 against a Samba v3.6.1
server running on OpenSuse x64 v12.1 but keep running into problems.

What the .NET app is doing is trying to read the ACL for a directory using
UNC path pointing to a directory below the "users" share on the samba
server.   The app is running as user Administrator. On the samba side the
Administrator user has been given the following priviliges:
 SeSecurityPrivilege, SeRestorePrivilege, SeBackupPrivilege, and
SeTakeOwnershipPrivilege.

Specifically the .NET/C# method call being made is below: In this case
srcFolderName is something like "\\SambaServer\users\Administrator":

DirectorySecurity srcFolderSecurity =
Directory.GetAccessControl(srcFolderName,  AccessControlSections.All);

Calling this method results in an Exception. I can see from a Wireshark
trace that the exception corresponds to an error being returned from a call
to NTCreateAndx for a user folder named "\Administrator" and Access Mask
set to 0x01020080. The bit that seems to cause problems when set is the
System Security bit (0x01000000).

Originally before I had given user Administrator any privileges (using net
rpc rights grant...), the NTCreateAndX response error was
*STATUS_PRIVILEGE_NOT_HELD.
 After granting privileges the error changed to STATUS_ACCESS_DENIED. *
*
*
*Looking at the log.smbd with debugLevel = 10. I can see the following
relevant trace info:*
*
*
*
[2012/02/23 12:35:24.190992, 10]
smbd/open.c:1430(smbd_calculate_access_mask)
  smbd_calculate_access_mask: Access denied on file Administrator: rejected
by share access mask[0x101F01FF] orig[0x01020080] mapped[0x01020080]
reject[0x01000000]
[2012/02/23 12:35:24.191049, 10] smbd/open.c:1761(open_file_ntcreate)
  open_file_ntcreate: smbd_calculate_access_mask on file Administrator
returned NT_STATUS_ACCESS_DENIED
[2012/02/23 12:35:24.191107,  5] smbd/files.c:464(file_free)
  freed files structure 9877 (0 used)
[2012/02/23 12:35:24.191162, 10] smbd/open.c:3420(create_file_unixpath)
  create_file_unixpath: NT_STATUS_ACCESS_DENIED
[2012/02/23 12:35:24.191216, 10] smbd/open.c:3700(create_file_default)
  create_file: NT_STATUS_ACCESS_DENIED

Other things I've tried:

- Adding "admin users = Administrator" to the [users] share section in the
smb.conf
- Doing chmod 777 on all folders from the [users] share root and below

Am I missing anything? Is there anything else I can try to see if I can get
past the NT_STATUS_ACCESS_DENIED?

Thanks in advance for your help/suggestions.
*
*
*
*
*


More information about the samba mailing list