[Samba] NT_STATUS_ACCESS_DENIED (I can write and read, but not replace)
Jason Pyeron
jpyeron at pdinc.us
Mon Feb 2 16:41:52 MST 2015
I need help interpeting this issue, thanks in advance.
A file was created by user nli on windows 7, that user can manipulate the file at will.
If user jpyeron tries to manipulate the file on XPx64 the below happens.
# smbd -V
Version 3.0.33-3.40.el5_10
[2015/02/02 18:34:15, 8] smbd/dosmode.c:dos_mode_from_sbuf(188)
dos_mode_from_sbuf returning
[2015/02/02 18:34:15, 8] smbd/dosmode.c:dos_mode(409)
dos_mode returning
[2015/02/02 18:34:15, 5] smbd/open.c:open_directory(2057)
open_directory: opening directory tax/2014/gttsc, access_mask = 0x20000, share_access = 0x3 create_options = 0x0, create_disposition = 0x1, file_attributes = 0x10
[2015/02/02 18:34:15, 5] smbd/files.c:file_new(123)
allocated file structure 9908, fnum = 14004 (1 used)
[2015/02/02 18:34:15, 10] locking/locking.c:unparse_share_modes(681)
unparse_share_modes: del: 0, tok = 0, num: 1
[2015/02/02 18:34:15, 10] locking/locking.c:print_share_mode_table(498)
print_share_mode_table: share_mode_entry[0]: pid = 10924, share_access = 0x3, private_options = 0x0, access_mask = 0x20000, mid = 0x0, type= 0x0, file_id = 15253, uid = 501, flags = 2, dev = 0xfd02, inode = 212042139
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:get_nt_acl(2768)
get_nt_acl: called for file tax/2014/gttsc
[2015/02/02 18:34:15, 5] smbd/posix_acls.c:get_nt_acl(2805)
get_nt_acl : file ACL absent, directory ACL absent
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:canonicalise_acl(2244)
canonicalise_acl: Access ace entries before arrange :
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:canonicalise_acl(2257)
canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER perms r-x
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:canonicalise_acl(2257)
canon_ace index 1. Type = allow SID = S-1-5-32-545 gid 512 (quickbooksusers) SMB_ACL_GROUP_OBJ perms rwx
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:canonicalise_acl(2257)
canon_ace index 2. Type = allow SID = S-1-5-32-544 uid 503 (nli) SMB_ACL_USER_OBJ perms rwx
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:print_canon_ace_list(598)
print_canon_ace_list: canonicalise_acl: ace entries after arrange
canon_ace index 0. Type = allow SID = S-1-5-32-544 uid 503 (nli) SMB_ACL_USER_OBJ perms rwx
canon_ace index 1. Type = allow SID = S-1-5-32-545 gid 512 (quickbooksusers) SMB_ACL_GROUP_OBJ perms rwx
canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER perms r-x
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:map_canon_ace_perms(874)
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:map_canon_ace_perms(874)
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:map_canon_ace_perms(874)
map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:merge_default_aces(2729)
merge_default_aces: Merging ACE 4 onto ACE 1.
[2015/02/02 18:34:15, 10] locking/locking.c:parse_share_modes(523)
parse_share_modes: delete_on_close: 0, num_share_modes: 1
[2015/02/02 18:34:15, 10] locking/locking.c:parse_share_modes(623)
parse_share_modes: share_mode_entry[0]: pid = 10924, share_access = 0x3, private_options = 0x0, access_mask = 0x20000, mid = 0x0, type= 0x0, file_id = 15253, uid = 501, flags = 2, dev = 0xfd02, inode = 212042139
[2015/02/02 18:34:15, 5] smbd/files.c:file_free(454)
freed files structure 14004 (0 used)
[2015/02/02 18:34:15, 10] lib/util_seaccess.c:se_access_check(233)
se_access_check: requested access 0x00000002, for NT token with 17 entries and first sid S-1-5-21-3650665210-738519219-1273585530-2002.
[2015/02/02 18:34:15, 3] lib/util_seaccess.c:se_access_check(250)
[2015/02/02 18:34:15, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-5-21-3650665210-738519219-1273585530-2002
se_access_check: also S-1-22-2-100
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-22-2-401
se_access_check: also S-1-22-2-534
se_access_check: also S-1-22-2-527
se_access_check: also S-1-22-2-56736
se_access_check: also S-1-22-2-526
se_access_check: also S-1-22-2-577
se_access_check: also S-1-22-2-512
se_access_check: also S-1-22-2-528
se_access_check: also S-1-22-2-559
se_access_check: also S-1-22-2-521
se_access_check: also S-1-22-2-564
se_access_check: also S-1-22-1-501
se_access_check: ACE 0: type 0, flags = 0x03, SID = S-1-5-32-545 mask = 1f01ff, current desired = 2
se_access_check: ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask = 1f01ff, current desired = 2
se_access_check: ACE 2: type 0, flags = 0x00, SID = S-1-1-0 mask = 1200a9, current desired = 2
se_access_check: ACE 3: type 0, flags = 0x00, SID = S-1-5-32-545 mask = 1f01ff, current desired = 2
[2015/02/02 18:34:15, 5] lib/util_seaccess.c:se_access_check(314)
se_access_check: access (2) denied.
[2015/02/02 18:34:15, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/nttrans.c(697) cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED
Cacls says:
\\SERVERX\financial\tax\2014\gttsc\2014 Form 1120S S Corps Tax Return.tax2014 BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:F
BUILTIN\Users:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_READ_DATA
FILE_READ_EA
FILE_READ_ATTRIBUTES
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.
More information about the samba
mailing list