[Samba] Can't change directory owner

Andrea Cucciarre acucciarre at cloudian.com
Tue Feb 7 14:51:22 UTC 2023 

Hello Rowland,

It seems to me that it proceeds in the code you pasted (since dos filemode
= Yes) cause in the following previous piece of code it establishes that
the user doesn't have the SEC_PRIV_RESTORE, which is what I don't
understand cause that user has the SeRestorePrivilege:

===========
 if (lp_enable_privileges()) {
bool has_take_ownership_priv = security_token_has_privilege(
get_current_nttok(fsp->conn),
SEC_PRIV_TAKE_OWNERSHIP);
bool has_restore_priv = security_token_has_privilege(
get_current_nttok(fsp->conn),
SEC_PRIV_RESTORE);

if (has_restore_priv) {
; /* Case (2) */
} else if (has_take_ownership_priv) {
/* Case (3) */
if (uid == get_current_uid(fsp->conn)) {
gid = (gid_t)-1;
} else {
has_take_ownership_priv = false;
}
}

if (has_take_ownership_priv || has_restore_priv) {
status = NT_STATUS_OK;
become_root();
ret = SMB_VFS_FCHOWN(fsp, uid, gid);
if (ret != 0) {
status = map_nt_error_from_unix(errno);
}
unbecome_root();
return status;
========

Please note that  windows Administrator user can successfully change the
owner.
Below the output you requested [note that the user 'andrea' (id 11142)
wants to set the owner of the directory to user 'betty' (id 11150)]:

# testparm -s
Load smb config files from /opt/samba/etc/smb.conf
lpcfg_do_global_parameter: WARNING: The "enable privileges" option is
deprecated
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
        client ldap sasl wrapping = plain
        dedicated keytab file = /etc/krb5.keytab
        disable spoolss = Yes
        host msdfs = No
        kerberos method = secrets and keytab
        load printers = No
        local master = No
        log file = /opt/samba/log/%I-%M-%m.log
        map to guest = Bad User
        max log size = 100000
        preferred master = No
        printcap name = /dev/null
        realm = HF3.LOCAL
        security = ADS
        server string = Data %h
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind expand groups = 4
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        workgroup = HYPERFILE3
        idmap config hyperfile3 : schema_mode = rfc2307
        idmap config hyperfile3 : range = 10000-20000000
        idmap config hyperfile3 : backend = rid
        idmap config * : schema_mode = rfc2307
        idmap config * : range = 3000-4000
        idmap config * : backend = tdb
        map acl inherit = Yes
        vfs objects = zfsacl

[test]
        dos filemode = Yes
        path = /test
        read only = No
        nfs4: mode = special
        nfs4: acedup = merge


# getent passwd 'HYPERFILE3\andrea'
HYPERFILE3\andrea:*:11142:10513::/home/HYPERFILE3/andrea:/bin/false

The ACL are as follow, basically administrator, andrea and betty have full
permission:

# ls -lVd /test/dir/
drwxr-xr-x+  2 HYPERFILE3\andrea HYPERFILE3\domain users    4096 Feb  7
09:26 /test/dir/
                 owner@:rwxp-DaARWcCos:-------:allow
                 group@:r-x---a-R-c--s:-------:allow
              everyone@:r-x---a-R-c--s:-------:allow
    user:HYPERFILE3\administ:rwxpdDaARWcCos:fd----I:allow
    user:HYPERFILE3\andrea:rwxpdDaARWcCos:fd----I:allow
    user:HYPERFILE3\betty:rwxpdDaARWcCos:fd----I:allow

# net rpc rights list 'HYPERFILE3\andrea' -S 10.50.50.85 -U administrator
Enter administrator's password:
SeBackupPrivilege
SeRestorePrivilege


Regards
Andrea


On Tue, Feb 7, 2023 at 3:10 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:

>
>
> On 07/02/2023 12:23, Andrea Cucciarre via samba wrote:
> > Hello,
> >
> > I am struggling to change the owner of directories in Samba share, from a
> > windows client.
> > In the Samba logs I can see the following error message:
> >
> > [2023/02/06 13:23:31.624803,  3]
> > ../../source3/modules/nfs4_acls.c:1042(smb_set_nt_acl_nfs4)
> >    chown New folder, 11150, 4294967295 failed. Error =
> > NT_STATUS_INVALID_OWNER.
> >
> > This points to the try_chown() in samba code, and as far as I can see it
> > should allow the chown if the user has the SeRestorePrivilege.
> >  From windows I have added the SeRestorePrivilege to that user, and
> actually
> > it seems samba can see it:
> >
> > # net rpc rights list 'DOMAIN\user' -S X.X.X.X -U Administrator
> > SeBackupPrivilege
> > SeRestorePrivilege
> >
> > So I can't understand why Samba doesn't recognize the SeRestorePrivilege
> > when handling a chown.
> >
> >
> > Regards
> > Andrea
>
> I think we are going to need more info here, starting with the current
> smb.conf (as shown by 'testparm -s'), the output of 'getent passwd
> DOMAIN\\user', the permissions set on the directory at the moment.
>
> Your error message seems to be coming from the block of code in try_chown:
>
>         /* only allow chown to the current user. This is more secure,
>            and also copes with the case where the SID in a take ownership
> ACL is
>            a local SID on the users workstation
>         */
>         if (uid != get_current_uid(fsp->conn)) {
>                 return NT_STATUS_INVALID_OWNER;
>         }
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Andrea Cucciarre'
Global Technical Support Manager
Cloudian Inc.

More information about the samba mailing list