samba - Feb 2009 - Can't modify ms word files with samba 3.3

Hello, 
I tried this week to upgrade my samba 3.2.4 (2 PDCs one trusting the
other) to samba 3.3.0 then samba 3.3.1, and apart from the problem
with winbindd and trusted domain, my users are not able to modify any
ms word document (excel does the same). 

You can open the file correctly, modify it, and when saving it, it
pops up "Access denied" 

If you try to save the file in the same directory with another name,
it does not work either (sam "access denied" message). 
I tried to set og level to 10, but could not find anything pointing
me to the right direction. 
Can anybody help ? 
Fran?ois

On Tue, Feb 24, 2009 at 09:33:56PM +0100, Fran?ois Legal
wrote:
> 
> 
> Hello, 
> I tried this week to upgrade my samba 3.2.4 (2 PDCs one trusting the
> other) to samba 3.3.0 then samba 3.3.1, and apart from the problem
> with winbindd and trusted domain, my users are not able to modify any
> ms word document (excel does the same). 
> 
> You can open the file correctly, modify it, and when saving it, it
> pops up "Access denied" 
> 
> If you try to save the file in the same directory with another name,
> it does not work either (sam "access denied" message). 
> I tried to set og level to 10, but could not find anything pointing
> me to the right direction. 
> Can anybody help ? 
Can you send in a debug level 10 log please. This was a bug
we fixed for 3.3.1, so I'm concerned that it isn't working
for you.

Thanks,

Jeremy.

On Tue, Feb 24, 2009 at 09:33:56PM +0100, Fran?ois Legal
wrote:
> 
> 
> Hello, 
> I tried this week to upgrade my samba 3.2.4 (2 PDCs one trusting the
> other) to samba 3.3.0 then samba 3.3.1, and apart from the problem
> with winbindd and trusted domain, my users are not able to modify any
> ms word document (excel does the same). 
> 
> You can open the file correctly, modify it, and when saving it, it
> pops up "Access denied" 
> 
> If you try to save the file in the same directory with another name,
> it does not work either (sam "access denied" message). 
> I tried to set og level to 10, but could not find anything pointing
> me to the right direction. 
> Can anybody help ? 
Ok, looking in the log I've found the problem. The application
is asking for an access mask of 0x1020000, which maps to

READ_CONTROL_ACCESS (which we grant) and SEC_RIGHT_SYSTEM_SECURITY
(ie. access to the system security ACL - the audit ACL) on the
file.
>From this page: 
http://msdn.microsoft.com/en-us/library/aa379321(VS.85).aspx

"SACL Access Right

The ACCESS_SYSTEM_SECURITY access right controls the ability to get or set the
SACL in an object's security descriptor. The system grants this access right
only if the SE_SECURITY_NAME privilege is enabled in the access token of the
requesting thread."

We do not support the SE_SECURITY_NAME privilege and don't
allow setting SACLs (we don't support them).

Someone else has already raised this previously. Do your
users have the SE_SECURITY_NAME privilege in their local
tokens (ie. are they allowed to set SACLs on their local
filesystem). Does this happen to non-privileged users ?

A suggestion has been made to ignore the SEC_RIGHT_SYSTEM_SECURITY
request (just mask it out) for filesystem access while
we don't support SACLs, but I'm concerned as to why the
application is trying to request it ?

Jeremy.

> Ok, looking in the log I've found the problem. The application
> is asking for an access mask of 0x1020000, which maps to
> 
> READ_CONTROL_ACCESS (which we grant) and SEC_RIGHT_SYSTEM_SECURITY
> (ie. access to the system security ACL - the audit ACL) on the
> file.
> 
> From this page: 
> 
> http://msdn.microsoft.com/en-us/library/aa379321(VS.85).aspx
> 
> "SACL Access Right
> 
> The ACCESS_SYSTEM_SECURITY access right controls the ability to get or
set
> the SACL in an object's security descriptor. The system grants this
access
> right only if the SE_SECURITY_NAME privilege is enabled in the access
token
> of the requesting thread."
> 
> We do not support the SE_SECURITY_NAME privilege and don't
> allow setting SACLs (we don't support them).
> 
> Someone else has already raised this previously. Do your
> users have the SE_SECURITY_NAME privilege in their local
> tokens (ie. are they allowed to set SACLs on their local
> filesystem). Does this happen to non-privileged users ?
> 
> A suggestion has been made to ignore the SEC_RIGHT_SYSTEM_SECURITY
> request (just mask it out) for filesystem access while
> we don't support SACLs, but I'm concerned as to why the
> application is trying to request it ?
> 
> Jeremy.
To be honnest, I did not really understand what SACL is. Are you talking
about file and directories ACLs ?

How do I know if my users have the SE_SECURITY_NAME  priviledge. My users
(especially the one who is accessing the file in the log) are normal users
without any specific priviledge (not even doamin admins nor local
workstation admin). However, they're not prevented from setting files and
directories ACLs neither on local nor network drives (they're welcome to as
our filesystems are XFS).

About the application requesting something specific, I don't know. The
file was created with that same version of MS Word (2007) by that same user
(the one trying to modify it as in the log) but with another samba version
(one of 3.2.0 3.2.2 or 3.2.4)

Where should I go from here?

Thank youfor helping

Fran?ois

Hello,

I have the same problem with samba 3.3.0 and 3.3.1. I use to be able to 
edit some MS Word file on a shared network.
What should I do to fix this problem? Is there a way to change some 
config file?

Thanks in advance,

Olivier DOREMIEUX

Fran?ois Legal wrote:
> 

Same here.
My env are all inside virtualized machines: win2k server, debian lenny with
3.3.1 as "servers" and joined into win2k domain, win2k pro and win xp
pro
(both joined) as clients.

I have 1 share (called test) where I made my tests.

xp  has office 2k7 and OpenOffice.org 3
win2k has office 2k and OOo.org 3

(all the tests are with the same user logged on into the domain)
xp can create folders/files on share and can modify them with all the
programs, except office 2k7. with it, I receive an "Access Deny"
with OOo.org all works

win2k can do anything with OOo.org and with office 2k

files saved with office2k can be opened with office xp but not saved

OOo.org can open and save the .doc files created with the 2k

OOo.org can use the "share spreadsheet" function without problem!

 From my test appear that there is a problem only with 2k7

If you need I can send you the debug with level 10

P.s. I can also share my environment with the developers since are all
in vbox! Contact me for that.

Thanks,
Michele

On Tue, Feb 24, 2009 at 09:33:56PM +0100, Fran?ois Legal
wrote:
> 
> 
> Hello, 
> I tried this week to upgrade my samba 3.2.4 (2 PDCs one trusting the
> other) to samba 3.3.0 then samba 3.3.1, and apart from the problem
> with winbindd and trusted domain, my users are not able to modify any
> ms word document (excel does the same). 
> 
> You can open the file correctly, modify it, and when saving it, it
> pops up "Access denied" 
> 
> If you try to save the file in the same directory with another name,
> it does not work either (sam "access denied" message). 
> I tried to set og level to 10, but could not find anything pointing
> me to the right direction. 
> Can anybody help ? 
Ok, I think this patch should fix the problem. If you can
confirm it works for you then I'll put it into 3.3.2.

Thanks !

Jeremy.
-------------- next part --------------
diff --git a/source/smbd/open.c b/source/smbd/open.c
index 9b51ff0..ee730c7 100644
--- a/source/smbd/open.c
+++ b/source/smbd/open.c
@@ -2382,6 +2382,14 @@ NTSTATUS open_directory(connection_struct *conn,
 		return status;
 	}
 
+	/* We need to support SeSecurityPrivilege for this. */
+	if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+		DEBUG(10, ("open_directory: open on %s "
+			"failed - SEC_RIGHT_SYSTEM_SECURITY denied.\n",
+			fname));
+		return NT_STATUS_PRIVILEGE_NOT_HELD;
+	}
+
 	switch( create_disposition ) {
 		case FILE_OPEN:
 
@@ -2915,8 +2923,23 @@ NTSTATUS create_file_unixpath(connection_struct *conn,
 		status = NT_STATUS_PRIVILEGE_NOT_HELD;
 		goto fail;
 	}
+#else
+	/* We need to support SeSecurityPrivilege for this. */
+	if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+		status = NT_STATUS_PRIVILEGE_NOT_HELD;
+		goto fail;
+	}
+	/* Don't allow a SACL set from an NTtrans create until we
+	 * support SeSecurityPrivilege. */
+	if (!VALID_STAT(sbuf) &&
+			lp_nt_acl_support(SNUM(conn)) &&
+			sd && (sd->sacl != NULL)) {
+		status = NT_STATUS_PRIVILEGE_NOT_HELD;
+		goto fail;
+	}
 #endif
 
+
 	if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
 	    && is_ntfs_stream_name(fname)
 	    && (!(create_options &
NTCREATEX_OPTIONS_PRIVATE_STREAM_DELETE))) {