samba - Feb 2012 - STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set

I've been trying to run a .NET app on Windows 2008 against a Samba v3.6.1
server running on OpenSuse x64 v12.1 but keep running into problems.

What the .NET app is doing is trying to read the ACL for a directory using
UNC path pointing to a directory below the "users" share on the samba
server.   The app is running as user Administrator. On the samba side the
Administrator user has been given the following priviliges:
 SeSecurityPrivilege, SeRestorePrivilege, SeBackupPrivilege, and
SeTakeOwnershipPrivilege.

Specifically the .NET/C# method call being made is below: In this case
srcFolderName is something like "\\SambaServer\users\Administrator":

DirectorySecurity srcFolderSecurity Directory.GetAccessControl(srcFolderName, 
AccessControlSections.All);

Calling this method results in an Exception. I can see from a Wireshark
trace that the exception corresponds to an error being returned from a call
to NTCreateAndx for a user folder named "\Administrator" and Access
Mask
set to 0x01020080. The bit that seems to cause problems when set is the
System Security bit (0x01000000).

Originally before I had given user Administrator any privileges (using net
rpc rights grant...), the NTCreateAndX response error was
*STATUS_PRIVILEGE_NOT_HELD.
 After granting privileges the error changed to STATUS_ACCESS_DENIED. *
*
*
*Looking at the log.smbd with debugLevel = 10. I can see the following
relevant trace info:*
*
*
*
[2012/02/23 12:35:24.190992, 10]
smbd/open.c:1430(smbd_calculate_access_mask)
  smbd_calculate_access_mask: Access denied on file Administrator: rejected
by share access mask[0x101F01FF] orig[0x01020080] mapped[0x01020080]
reject[0x01000000]
[2012/02/23 12:35:24.191049, 10] smbd/open.c:1761(open_file_ntcreate)
  open_file_ntcreate: smbd_calculate_access_mask on file Administrator
returned NT_STATUS_ACCESS_DENIED
[2012/02/23 12:35:24.191107,  5] smbd/files.c:464(file_free)
  freed files structure 9877 (0 used)
[2012/02/23 12:35:24.191162, 10] smbd/open.c:3420(create_file_unixpath)
  create_file_unixpath: NT_STATUS_ACCESS_DENIED
[2012/02/23 12:35:24.191216, 10] smbd/open.c:3700(create_file_default)
  create_file: NT_STATUS_ACCESS_DENIED

Other things I've tried:

- Adding "admin users = Administrator" to the [users] share section in
the
smb.conf
- Doing chmod 777 on all folders from the [users] share root and below

Am I missing anything? Is there anything else I can try to see if I can get
past the NT_STATUS_ACCESS_DENIED?

Thanks in advance for your help/suggestions.
*
*
*
*
*

On Fri, Feb 24, 2012 at 09:00:36AM -0700, Tom Lee wrote:
> I've been trying to run a .NET app on Windows 2008 against a Samba
v3.6.1
> server running on OpenSuse x64 v12.1 but keep running into problems.
> 
> What the .NET app is doing is trying to read the ACL for a directory using
> UNC path pointing to a directory below the "users" share on the
samba
> server.   The app is running as user Administrator. On the samba side the
> Administrator user has been given the following priviliges:
>  SeSecurityPrivilege, SeRestorePrivilege, SeBackupPrivilege, and
> SeTakeOwnershipPrivilege.
> 
> Specifically the .NET/C# method call being made is below: In this case
> srcFolderName is something like
"\\SambaServer\users\Administrator":
> 
> DirectorySecurity srcFolderSecurity >
Directory.GetAccessControl(srcFolderName,  AccessControlSections.All);
> 
> Calling this method results in an Exception. I can see from a Wireshark
> trace that the exception corresponds to an error being returned from a call
> to NTCreateAndx for a user folder named "\Administrator" and
Access Mask
> set to 0x01020080. The bit that seems to cause problems when set is the
> System Security bit (0x01000000).
> 
> Originally before I had given user Administrator any privileges (using net
> rpc rights grant...), the NTCreateAndX response error was
> *STATUS_PRIVILEGE_NOT_HELD.
>  After granting privileges the error changed to STATUS_ACCESS_DENIED. *
> *
> *
> *Looking at the log.smbd with debugLevel = 10. I can see the following
> relevant trace info:*
> *
> *
> *
> [2012/02/23 12:35:24.190992, 10]
> smbd/open.c:1430(smbd_calculate_access_mask)
>   smbd_calculate_access_mask: Access denied on file Administrator: rejected
> by share access mask[0x101F01FF] orig[0x01020080] mapped[0x01020080]
> reject[0x01000000]
> [2012/02/23 12:35:24.191049, 10] smbd/open.c:1761(open_file_ntcreate)
>   open_file_ntcreate: smbd_calculate_access_mask on file Administrator
> returned NT_STATUS_ACCESS_DENIED
> [2012/02/23 12:35:24.191107,  5] smbd/files.c:464(file_free)
>   freed files structure 9877 (0 used)
> [2012/02/23 12:35:24.191162, 10] smbd/open.c:3420(create_file_unixpath)
>   create_file_unixpath: NT_STATUS_ACCESS_DENIED
> [2012/02/23 12:35:24.191216, 10] smbd/open.c:3700(create_file_default)
>   create_file: NT_STATUS_ACCESS_DENIED
Ok, there is this chunk of code inside libcli/security/access_check.c

        /* s3 had this with #if 0 previously. To be sure the merge
           doesn't change any behaviour, we have the above #if check
           on _SAMBA_BUILD_. */
        if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
                if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
                        bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
                } else {
                        return NT_STATUS_PRIVILEGE_NOT_HELD;
                }
        }

in the current v3-6-test git tree. Can you check if this is
#ifdef'ed out in your code ?

Jeremy.

---------- Forwarded message ----------
From: Tom Lee <tlee2951 at gmail.com>
Date: Mon, Feb 27, 2012 at 3:10 PM
Subject: Re: [Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask
has System Security bit set
To: Jeremy Allison <jra at samba.org>


Jeremy thanks for your response.  I didn't actually build Samba from
sources I'm just running the version of Samba that comes with OpenSuse
v12.1 which is 3.6.1-34.3.1.x86_64 .

I'm pretty sure the chunk of code inside libcli/security/access_check.c you
mentioned is enabled with this version, since before I gave the
Administrator user SeSecurityPrivilege I was getting the
NT_STATUS_PRIVILEGE_NOT_HELD error, then once I granted the privilege that
error went away. But then I started getting the NT_STATUS_ACCESS_DENIED
coming from the check in open.c smbd_calculate_access_mask.

Please let me know if there is something else I should try or if you need
any additional info on my configuration. Thanks.


On Mon, Feb 27, 2012 at 2:44 PM, Jeremy Allison <jra at samba.org> wrote:
> On Fri, Feb 24, 2012 at 09:00:36AM -0700, Tom Lee wrote:
> > I've been trying to run a .NET app on Windows 2008 against a Samba
v3.6.1
> > server running on OpenSuse x64 v12.1 but keep running into problems.
> >
> > What the .NET app is doing is trying to read the ACL for a directory
> using
> > UNC path pointing to a directory below the "users" share on
the samba
> > server.   The app is running as user Administrator. On the samba side
the
> > Administrator user has been given the following priviliges:
> >  SeSecurityPrivilege, SeRestorePrivilege, SeBackupPrivilege, and
> > SeTakeOwnershipPrivilege.
> >
> > Specifically the .NET/C# method call being made is below: In this case
> > srcFolderName is something like
"\\SambaServer\users\Administrator":
> >
> > DirectorySecurity srcFolderSecurity > >
Directory.GetAccessControl(srcFolderName,  AccessControlSections.All);
> >
> > Calling this method results in an Exception. I can see from a
Wireshark
> > trace that the exception corresponds to an error being returned from a
> call
> > to NTCreateAndx for a user folder named "\Administrator" and
Access Mask
> > set to 0x01020080. The bit that seems to cause problems when set is
the
> > System Security bit (0x01000000).
> >
> > Originally before I had given user Administrator any privileges (using
> net
> > rpc rights grant...), the NTCreateAndX response error was
> > *STATUS_PRIVILEGE_NOT_HELD.
> >  After granting privileges the error changed to STATUS_ACCESS_DENIED.
*
> > *
> > *
> > *Looking at the log.smbd with debugLevel = 10. I can see the following
> > relevant trace info:*
> > *
> > *
> > *
> > [2012/02/23 12:35:24.190992, 10]
> > smbd/open.c:1430(smbd_calculate_access_mask)
> >   smbd_calculate_access_mask: Access denied on file Administrator:
> rejected
> > by share access mask[0x101F01FF] orig[0x01020080] mapped[0x01020080]
> > reject[0x01000000]
> > [2012/02/23 12:35:24.191049, 10] smbd/open.c:1761(open_file_ntcreate)
> >   open_file_ntcreate: smbd_calculate_access_mask on file Administrator
> > returned NT_STATUS_ACCESS_DENIED
> > [2012/02/23 12:35:24.191107,  5] smbd/files.c:464(file_free)
> >   freed files structure 9877 (0 used)
> > [2012/02/23 12:35:24.191162, 10]
smbd/open.c:3420(create_file_unixpath)
> >   create_file_unixpath: NT_STATUS_ACCESS_DENIED
> > [2012/02/23 12:35:24.191216, 10] smbd/open.c:3700(create_file_default)
> >   create_file: NT_STATUS_ACCESS_DENIED
>
> Ok, there is this chunk of code inside libcli/security/access_check.c
>
>        /* s3 had this with #if 0 previously. To be sure the merge
>           doesn't change any behaviour, we have the above #if check
>           on _SAMBA_BUILD_. */
>        if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
>                if (security_token_has_privilege(token, SEC_PRIV_SECURITY))
> {
>                        bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
>                } else {
>                        return NT_STATUS_PRIVILEGE_NOT_HELD;
>                }
>        }
>
> in the current v3-6-test git tree. Can you check if this is
> #ifdef'ed out in your code ?
>
> Jeremy.
>