Hello, I tried this week to upgrade my samba 3.2.4 (2 PDCs one trusting the other) to samba 3.3.0 then samba 3.3.1, and apart from the problem with winbindd and trusted domain, my users are not able to modify any ms word document (excel does the same). You can open the file correctly, modify it, and when saving it, it pops up "Access denied" If you try to save the file in the same directory with another name, it does not work either (sam "access denied" message). I tried to set og level to 10, but could not find anything pointing me to the right direction. Can anybody help ? Fran?ois
On Tue, Feb 24, 2009 at 09:33:56PM +0100, Fran?ois Legal wrote:> > > Hello, > I tried this week to upgrade my samba 3.2.4 (2 PDCs one trusting the > other) to samba 3.3.0 then samba 3.3.1, and apart from the problem > with winbindd and trusted domain, my users are not able to modify any > ms word document (excel does the same). > > You can open the file correctly, modify it, and when saving it, it > pops up "Access denied" > > If you try to save the file in the same directory with another name, > it does not work either (sam "access denied" message). > I tried to set og level to 10, but could not find anything pointing > me to the right direction. > Can anybody help ?Can you send in a debug level 10 log please. This was a bug we fixed for 3.3.1, so I'm concerned that it isn't working for you. Thanks, Jeremy.
On Tue, Feb 24, 2009 at 09:33:56PM +0100, Fran?ois Legal wrote:> > > Hello, > I tried this week to upgrade my samba 3.2.4 (2 PDCs one trusting the > other) to samba 3.3.0 then samba 3.3.1, and apart from the problem > with winbindd and trusted domain, my users are not able to modify any > ms word document (excel does the same). > > You can open the file correctly, modify it, and when saving it, it > pops up "Access denied" > > If you try to save the file in the same directory with another name, > it does not work either (sam "access denied" message). > I tried to set og level to 10, but could not find anything pointing > me to the right direction. > Can anybody help ?Ok, looking in the log I've found the problem. The application is asking for an access mask of 0x1020000, which maps to READ_CONTROL_ACCESS (which we grant) and SEC_RIGHT_SYSTEM_SECURITY (ie. access to the system security ACL - the audit ACL) on the file.>From this page:http://msdn.microsoft.com/en-us/library/aa379321(VS.85).aspx "SACL Access Right The ACCESS_SYSTEM_SECURITY access right controls the ability to get or set the SACL in an object's security descriptor. The system grants this access right only if the SE_SECURITY_NAME privilege is enabled in the access token of the requesting thread." We do not support the SE_SECURITY_NAME privilege and don't allow setting SACLs (we don't support them). Someone else has already raised this previously. Do your users have the SE_SECURITY_NAME privilege in their local tokens (ie. are they allowed to set SACLs on their local filesystem). Does this happen to non-privileged users ? A suggestion has been made to ignore the SEC_RIGHT_SYSTEM_SECURITY request (just mask it out) for filesystem access while we don't support SACLs, but I'm concerned as to why the application is trying to request it ? Jeremy.
> Ok, looking in the log I've found the problem. The application > is asking for an access mask of 0x1020000, which maps to > > READ_CONTROL_ACCESS (which we grant) and SEC_RIGHT_SYSTEM_SECURITY > (ie. access to the system security ACL - the audit ACL) on the > file. > > From this page: > > http://msdn.microsoft.com/en-us/library/aa379321(VS.85).aspx > > "SACL Access Right > > The ACCESS_SYSTEM_SECURITY access right controls the ability to get orset> the SACL in an object's security descriptor. The system grants thisaccess> right only if the SE_SECURITY_NAME privilege is enabled in the accesstoken> of the requesting thread." > > We do not support the SE_SECURITY_NAME privilege and don't > allow setting SACLs (we don't support them). > > Someone else has already raised this previously. Do your > users have the SE_SECURITY_NAME privilege in their local > tokens (ie. are they allowed to set SACLs on their local > filesystem). Does this happen to non-privileged users ? > > A suggestion has been made to ignore the SEC_RIGHT_SYSTEM_SECURITY > request (just mask it out) for filesystem access while > we don't support SACLs, but I'm concerned as to why the > application is trying to request it ? > > Jeremy.To be honnest, I did not really understand what SACL is. Are you talking about file and directories ACLs ? How do I know if my users have the SE_SECURITY_NAME priviledge. My users (especially the one who is accessing the file in the log) are normal users without any specific priviledge (not even doamin admins nor local workstation admin). However, they're not prevented from setting files and directories ACLs neither on local nor network drives (they're welcome to as our filesystems are XFS). About the application requesting something specific, I don't know. The file was created with that same version of MS Word (2007) by that same user (the one trying to modify it as in the log) but with another samba version (one of 3.2.0 3.2.2 or 3.2.4) Where should I go from here? Thank youfor helping Fran?ois
Hello, I have the same problem with samba 3.3.0 and 3.3.1. I use to be able to edit some MS Word file on a shared network. What should I do to fix this problem? Is there a way to change some config file? Thanks in advance, Olivier DOREMIEUX
Michele Petrazzo - Unipex srl
2009-Mar-04 18:04 UTC
[Samba] Can't modify ms word files with samba 3.3
Fran?ois Legal wrote:>Same here. My env are all inside virtualized machines: win2k server, debian lenny with 3.3.1 as "servers" and joined into win2k domain, win2k pro and win xp pro (both joined) as clients. I have 1 share (called test) where I made my tests. xp has office 2k7 and OpenOffice.org 3 win2k has office 2k and OOo.org 3 (all the tests are with the same user logged on into the domain) xp can create folders/files on share and can modify them with all the programs, except office 2k7. with it, I receive an "Access Deny" with OOo.org all works win2k can do anything with OOo.org and with office 2k files saved with office2k can be opened with office xp but not saved OOo.org can open and save the .doc files created with the 2k OOo.org can use the "share spreadsheet" function without problem! From my test appear that there is a problem only with 2k7 If you need I can send you the debug with level 10 P.s. I can also share my environment with the developers since are all in vbox! Contact me for that. Thanks, Michele
On Tue, Feb 24, 2009 at 09:33:56PM +0100, Fran?ois Legal wrote:> > > Hello, > I tried this week to upgrade my samba 3.2.4 (2 PDCs one trusting the > other) to samba 3.3.0 then samba 3.3.1, and apart from the problem > with winbindd and trusted domain, my users are not able to modify any > ms word document (excel does the same). > > You can open the file correctly, modify it, and when saving it, it > pops up "Access denied" > > If you try to save the file in the same directory with another name, > it does not work either (sam "access denied" message). > I tried to set og level to 10, but could not find anything pointing > me to the right direction. > Can anybody help ?Ok, I think this patch should fix the problem. If you can confirm it works for you then I'll put it into 3.3.2. Thanks ! Jeremy. -------------- next part -------------- diff --git a/source/smbd/open.c b/source/smbd/open.c index 9b51ff0..ee730c7 100644 --- a/source/smbd/open.c +++ b/source/smbd/open.c @@ -2382,6 +2382,14 @@ NTSTATUS open_directory(connection_struct *conn, return status; } + /* We need to support SeSecurityPrivilege for this. */ + if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) { + DEBUG(10, ("open_directory: open on %s " + "failed - SEC_RIGHT_SYSTEM_SECURITY denied.\n", + fname)); + return NT_STATUS_PRIVILEGE_NOT_HELD; + } + switch( create_disposition ) { case FILE_OPEN: @@ -2915,8 +2923,23 @@ NTSTATUS create_file_unixpath(connection_struct *conn, status = NT_STATUS_PRIVILEGE_NOT_HELD; goto fail; } +#else + /* We need to support SeSecurityPrivilege for this. */ + if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) { + status = NT_STATUS_PRIVILEGE_NOT_HELD; + goto fail; + } + /* Don't allow a SACL set from an NTtrans create until we + * support SeSecurityPrivilege. */ + if (!VALID_STAT(sbuf) && + lp_nt_acl_support(SNUM(conn)) && + sd && (sd->sacl != NULL)) { + status = NT_STATUS_PRIVILEGE_NOT_HELD; + goto fail; + } #endif + if ((conn->fs_capabilities & FILE_NAMED_STREAMS) && is_ntfs_stream_name(fname) && (!(create_options & NTCREATEX_OPTIONS_PRIVATE_STREAM_DELETE))) {