Jason Pyeron
2015-Feb-02  23:41 UTC
[Samba] NT_STATUS_ACCESS_DENIED (I can write and read, but not replace)
I need help interpeting this issue, thanks in advance.
A file was created by user nli on windows 7, that user can manipulate the file
at will.
If user jpyeron tries to manipulate the file on XPx64 the below happens.
# smbd -V
Version 3.0.33-3.40.el5_10
[2015/02/02 18:34:15, 8] smbd/dosmode.c:dos_mode_from_sbuf(188)
  dos_mode_from_sbuf returning
[2015/02/02 18:34:15, 8] smbd/dosmode.c:dos_mode(409)
  dos_mode returning
[2015/02/02 18:34:15, 5] smbd/open.c:open_directory(2057)
  open_directory: opening directory tax/2014/gttsc, access_mask = 0x20000,
share_access = 0x3 create_options = 0x0, create_disposition = 0x1,
file_attributes = 0x10
[2015/02/02 18:34:15, 5] smbd/files.c:file_new(123)
  allocated file structure 9908, fnum = 14004 (1 used)
[2015/02/02 18:34:15, 10] locking/locking.c:unparse_share_modes(681)
  unparse_share_modes: del: 0, tok = 0, num: 1
[2015/02/02 18:34:15, 10] locking/locking.c:print_share_mode_table(498)
  print_share_mode_table: share_mode_entry[0]:  pid = 10924, share_access = 0x3,
private_options = 0x0, access_mask = 0x20000, mid = 0x0, type= 0x0, file_id =
15253, uid = 501, flags = 2, dev = 0xfd02, inode = 212042139
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:get_nt_acl(2768)
  get_nt_acl: called for file tax/2014/gttsc
[2015/02/02 18:34:15, 5] smbd/posix_acls.c:get_nt_acl(2805)
  get_nt_acl : file ACL absent, directory ACL absent
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:canonicalise_acl(2244)
  canonicalise_acl: Access ace entries before arrange :
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:canonicalise_acl(2257)
  canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER perms r-x
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:canonicalise_acl(2257)
  canon_ace index 1. Type = allow SID = S-1-5-32-545 gid 512 (quickbooksusers)
SMB_ACL_GROUP_OBJ perms rwx
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:canonicalise_acl(2257)
  canon_ace index 2. Type = allow SID = S-1-5-32-544 uid 503 (nli)
SMB_ACL_USER_OBJ perms rwx
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:print_canon_ace_list(598)
  print_canon_ace_list: canonicalise_acl: ace entries after arrange
  canon_ace index 0. Type = allow SID = S-1-5-32-544 uid 503 (nli)
SMB_ACL_USER_OBJ perms rwx
  canon_ace index 1. Type = allow SID = S-1-5-32-545 gid 512 (quickbooksusers)
SMB_ACL_GROUP_OBJ perms rwx
  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER perms r-x
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:map_canon_ace_perms(874)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:map_canon_ace_perms(874)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:map_canon_ace_perms(874)
  map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
[2015/02/02 18:34:15, 10] smbd/posix_acls.c:merge_default_aces(2729)
  merge_default_aces: Merging ACE 4 onto ACE 1.
[2015/02/02 18:34:15, 10] locking/locking.c:parse_share_modes(523)
  parse_share_modes: delete_on_close: 0, num_share_modes: 1
[2015/02/02 18:34:15, 10] locking/locking.c:parse_share_modes(623)
  parse_share_modes: share_mode_entry[0]:  pid = 10924, share_access = 0x3,
private_options = 0x0, access_mask = 0x20000, mid = 0x0, type= 0x0, file_id =
15253, uid = 501, flags = 2, dev = 0xfd02, inode = 212042139
[2015/02/02 18:34:15, 5] smbd/files.c:file_free(454)
  freed files structure 14004 (0 used)
[2015/02/02 18:34:15, 10] lib/util_seaccess.c:se_access_check(233)
  se_access_check: requested access 0x00000002, for NT token with 17 entries and
first sid S-1-5-21-3650665210-738519219-1273585530-2002.
[2015/02/02 18:34:15, 3] lib/util_seaccess.c:se_access_check(250)
[2015/02/02 18:34:15, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-5-21-3650665210-738519219-1273585530-2002
  se_access_check: also S-1-22-2-100
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-22-2-401
  se_access_check: also S-1-22-2-534
  se_access_check: also S-1-22-2-527
  se_access_check: also S-1-22-2-56736
  se_access_check: also S-1-22-2-526
  se_access_check: also S-1-22-2-577
  se_access_check: also S-1-22-2-512
  se_access_check: also S-1-22-2-528
  se_access_check: also S-1-22-2-559
  se_access_check: also S-1-22-2-521
  se_access_check: also S-1-22-2-564
  se_access_check: also S-1-22-1-501
  se_access_check: ACE 0: type 0, flags = 0x03, SID = S-1-5-32-545 mask =
1f01ff, current desired = 2
  se_access_check: ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask =
1f01ff, current desired = 2
  se_access_check: ACE 2: type 0, flags = 0x00, SID = S-1-1-0 mask = 1200a9,
current desired = 2
  se_access_check: ACE 3: type 0, flags = 0x00, SID = S-1-5-32-545 mask =
1f01ff, current desired = 2
[2015/02/02 18:34:15, 5] lib/util_seaccess.c:se_access_check(314)
  se_access_check: access (2) denied.
[2015/02/02 18:34:15, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/nttrans.c(697) cmd=162 (SMBntcreateX)
NT_STATUS_ACCESS_DENIED
Cacls says:
\\SERVERX\financial\tax\2014\gttsc\2014 Form 1120S  S Corps Tax Return.tax2014
BUILTIN\Users:(OI)(CI)F
                                                                              
BUILTIN\Administrators:F
                                                                              
BUILTIN\Users:(special access:)
                                                                                
READ_CONTROL
                                                                                
SYNCHRONIZE
                                                                                
FILE_GENERIC_READ
                                                                                
FILE_GENERIC_WRITE
                                                                                
FILE_READ_DATA
                                                                                
FILE_WRITE_DATA
                                                                                
FILE_APPEND_DATA
                                                                                
FILE_READ_EA
                                                                                
FILE_WRITE_EA
                                                                                
FILE_READ_ATTRIBUTES
                                                                                
FILE_WRITE_ATTRIBUTES
                                                                              
Everyone:(special access:)
                                                                                
READ_CONTROL
                                                                                
SYNCHRONIZE
                                                                                
FILE_GENERIC_READ
                                                                                
FILE_READ_DATA
                                                                                
FILE_READ_EA
                                                                                
FILE_READ_ATTRIBUTES
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.
Reasonably Related Threads
- ACLs under windows 7 - you do not have permissions to access
- Modify permission not available unless group permissions are set to write.
- NT_STATUS_ACCESS_DENIED on previously created files
- [POSIX ACLs] Only ACE rules from Samba Primary Group are applied.
- reduce_name and ACL's
