[Samba] [solved] SMB2 CREATE + ACCESS_SYSTEM_SECURITY
stic6021 at gmail.com
Wed Jan 2 12:36:41 MST 2013
> > On Tue, Dec 18, 2012 at 12:24:04PM -0600, Steve Tice wrote:
> > > Can anybody provide the expected response to an SMB2 CREATE request that
> > > includes ACCESS_SYSTEM_SECURITY in the DesiredAccess mask? I’m
> > > interested in cases where the SMB client is connected as an authenticated
> > > user with administrative (superuser) privileges on the share, and has made
> > > the request on a directory. Should such a client expect full (read/change)
> > > access to the SACL (under any conditions)?
> > >
> > > The question above is theoretical in nature. Practically speaking, does
> > > version of the Samba server respond correctly to the request described
> > > above? I have a Windows application that makes such a request, and have
> > > tested it against Samba server versions 3.5.10-125.el6 and 3.6.7. I keep
> > > seeing a response of NT_STATUS_PRIVILEGE_NOT_HELD, and think that's not
> > > correct response when the client has superuser privileges - but perhaps my
> > > expectation is wrong. If I make the same request while connected to a
> > > on a Windows server, the response is NT_STATUS_OK.
> > >
> > > Is there a Samba server configuration change I could make that would
> > > the behavior? Is there any setup work to do prior to sending the SMB2
> > > CREATE request (for example, adding a privilege)?
With all humility, please accept my apology for making a false claim on this
topic. In my test bed, another factor (specifically a FUSE implementation) was
found to be the root cause of the unexpected server behavior. With the root
cause now corrected, my test bed with Samba 3.5.10-125.el6 is behaving as
expected and is passing the previously posted test case.
To summarize, there is no Samba bug associated with clients that want
SYSTEM_SECURITY access to a share.
More information about the samba