Can anybody provide the expected response to an SMB2 CREATE request that includes ACCESS_SYSTEM_SECURITY in the DesiredAccess mask? I?m particularly interested in cases where the SMB client is connected as an authenticated user with administrative (superuser) privileges on the share, and has made the request on a directory. Should such a client expect full (read/change) access to the SACL (under any conditions)? The question above is theoretical in nature. Practically speaking, does any version of the Samba server respond correctly to the request described above? I have a Windows application that makes such a request, and have tested it against Samba server versions 3.5.10-125.el6 and 3.6.7. I keep seeing a response of NT_STATUS_PRIVILEGE_NOT_HELD, and think that's not the correct response when the client has superuser privileges - but perhaps my expectation is wrong. If I make the same request while connected to a share on a Windows server, the response is NT_STATUS_OK. Is there a Samba server configuration change I could make that would affect the behavior? Is there any setup work to do prior to sending the SMB2 CREATE request (for example, adding a privilege)? Thanks, Steve Tice stic6021 at gmail.com <stic6021 at yahoo.com>
Can anybody provide the expected response to an SMB2 CREATE request that includes ACCESS_SYSTEM_SECURITY in the DesiredAccess mask? I?m particularly interested in cases where the SMB client is connected as an authenticated user with administrative (superuser) privileges on the share, and has made the request on a directory. Should such a client expect full (read/change) access to the SACL (under any conditions)? The question above is theoretical in nature. Practically speaking, does any version of the Samba server respond correctly to the request described above? I have a Windows application that makes such a request, and have tested it against Samba server versions 3.5.10-125.el6 and 3.6.7. I keep seeing a response of NT_STATUS_PRIVILEGE_NOT_HELD, and think that's not the correct response when the client has superuser privileges - but perhaps my expectation is wrong. If I make the same request while connected to a share on a Windows server, the response is NT_STATUS_OK. Is there a Samba server configuration change I could make that would affect the behavior? Is there any setup work to do prior to sending the SMB2 CREATE request (for example, adding a privilege)? Thanks, Steve Ticestic6021 at gmail.com
On Tue, Dec 18, 2012 at 12:24:04PM -0600, Steve Tice wrote:> Can anybody provide the expected response to an SMB2 CREATE request that > includes ACCESS_SYSTEM_SECURITY in the DesiredAccess mask? I?m particularly > interested in cases where the SMB client is connected as an authenticated > user with administrative (superuser) privileges on the share, and has made > the request on a directory. Should such a client expect full (read/change) > access to the SACL (under any conditions)? > > The question above is theoretical in nature. Practically speaking, does any > version of the Samba server respond correctly to the request described > above? I have a Windows application that makes such a request, and have > tested it against Samba server versions 3.5.10-125.el6 and 3.6.7. I keep > seeing a response of NT_STATUS_PRIVILEGE_NOT_HELD, and think that's not the > correct response when the client has superuser privileges - but perhaps my > expectation is wrong. If I make the same request while connected to a share > on a Windows server, the response is NT_STATUS_OK. > > Is there a Samba server configuration change I could make that would affect > the behavior? Is there any setup work to do prior to sending the SMB2 > CREATE request (for example, adding a privilege)?You need to give the connected user the SeSecurity privilege. Jeremy