Steve Tice stic6021 at gmail.com
Wed Jan 2 12:36:41 MST 2013

> > On Tue, Dec 18, 2012 at 12:24:04PM -0600, Steve Tice wrote:
> > > Can anybody provide the expected response to an SMB2 CREATE request that
> > > includes ACCESS_SYSTEM_SECURITY in the DesiredAccess mask? I’m 
> > > interested in cases where the SMB client is connected as an authenticated
> > > user with administrative (superuser) privileges on the share, and has made
> > > the request on a directory. Should such a client expect full (read/change)
> > > access to the SACL (under any conditions)?
> > > 
> > > The question above is theoretical in nature. Practically speaking, does 
> > > version of the Samba server respond correctly to the request described
> > > above? I have a Windows application that makes such a request, and have
> > > tested it against Samba server versions 3.5.10-125.el6 and 3.6.7. I keep
> > > seeing a response of NT_STATUS_PRIVILEGE_NOT_HELD, and think that's not 
> > > correct response when the client has superuser privileges - but perhaps my
> > > expectation is wrong. If I make the same request while connected to a 
> > > on a Windows server, the response is NT_STATUS_OK.
> > > 
> > > Is there a Samba server configuration change I could make that would 
> > > the behavior? Is there any setup work to do prior to sending the SMB2
> > > CREATE request (for example, adding a privilege)?

With all humility, please accept my apology for making a false claim on this 
topic. In my test bed, another factor (specifically a FUSE implementation) was 
found to be the root cause of the unexpected server behavior. With the root 
cause now corrected, my test bed with Samba 3.5.10-125.el6 is behaving as 
expected and is passing the previously posted test case.

To summarize, there is no Samba bug associated with clients that want 
SYSTEM_SECURITY access to a share.

More information about the samba mailing list