[Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set
Jeremy Allison
jra at samba.org
Mon Feb 27 14:44:33 MST 2012
On Fri, Feb 24, 2012 at 09:00:36AM -0700, Tom Lee wrote:
> I've been trying to run a .NET app on Windows 2008 against a Samba v3.6.1
> server running on OpenSuse x64 v12.1 but keep running into problems.
>
> What the .NET app is doing is trying to read the ACL for a directory using
> UNC path pointing to a directory below the "users" share on the samba
> server. The app is running as user Administrator. On the samba side the
> Administrator user has been given the following priviliges:
> SeSecurityPrivilege, SeRestorePrivilege, SeBackupPrivilege, and
> SeTakeOwnershipPrivilege.
>
> Specifically the .NET/C# method call being made is below: In this case
> srcFolderName is something like "\\SambaServer\users\Administrator":
>
> DirectorySecurity srcFolderSecurity =
> Directory.GetAccessControl(srcFolderName, AccessControlSections.All);
>
> Calling this method results in an Exception. I can see from a Wireshark
> trace that the exception corresponds to an error being returned from a call
> to NTCreateAndx for a user folder named "\Administrator" and Access Mask
> set to 0x01020080. The bit that seems to cause problems when set is the
> System Security bit (0x01000000).
>
> Originally before I had given user Administrator any privileges (using net
> rpc rights grant...), the NTCreateAndX response error was
> *STATUS_PRIVILEGE_NOT_HELD.
> After granting privileges the error changed to STATUS_ACCESS_DENIED. *
> *
> *
> *Looking at the log.smbd with debugLevel = 10. I can see the following
> relevant trace info:*
> *
> *
> *
> [2012/02/23 12:35:24.190992, 10]
> smbd/open.c:1430(smbd_calculate_access_mask)
> smbd_calculate_access_mask: Access denied on file Administrator: rejected
> by share access mask[0x101F01FF] orig[0x01020080] mapped[0x01020080]
> reject[0x01000000]
> [2012/02/23 12:35:24.191049, 10] smbd/open.c:1761(open_file_ntcreate)
> open_file_ntcreate: smbd_calculate_access_mask on file Administrator
> returned NT_STATUS_ACCESS_DENIED
> [2012/02/23 12:35:24.191107, 5] smbd/files.c:464(file_free)
> freed files structure 9877 (0 used)
> [2012/02/23 12:35:24.191162, 10] smbd/open.c:3420(create_file_unixpath)
> create_file_unixpath: NT_STATUS_ACCESS_DENIED
> [2012/02/23 12:35:24.191216, 10] smbd/open.c:3700(create_file_default)
> create_file: NT_STATUS_ACCESS_DENIED
Ok, there is this chunk of code inside libcli/security/access_check.c
/* s3 had this with #if 0 previously. To be sure the merge
doesn't change any behaviour, we have the above #if check
on _SAMBA_BUILD_. */
if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
} else {
return NT_STATUS_PRIVILEGE_NOT_HELD;
}
}
in the current v3-6-test git tree. Can you check if this is
#ifdef'ed out in your code ?
Jeremy.
More information about the samba
mailing list