Hello Rowland,
It seems to me that it proceeds in the code you pasted (since dos filemode
= Yes) cause in the following previous piece of code it establishes that
the user doesn't have the SEC_PRIV_RESTORE, which is what I don't
understand cause that user has the SeRestorePrivilege:
========== if (lp_enable_privileges()) {
bool has_take_ownership_priv = security_token_has_privilege(
get_current_nttok(fsp->conn),
SEC_PRIV_TAKE_OWNERSHIP);
bool has_restore_priv = security_token_has_privilege(
get_current_nttok(fsp->conn),
SEC_PRIV_RESTORE);
if (has_restore_priv) {
; /* Case (2) */
} else if (has_take_ownership_priv) {
/* Case (3) */
if (uid == get_current_uid(fsp->conn)) {
gid = (gid_t)-1;
} else {
has_take_ownership_priv = false;
}
}
if (has_take_ownership_priv || has_restore_priv) {
status = NT_STATUS_OK;
become_root();
ret = SMB_VFS_FCHOWN(fsp, uid, gid);
if (ret != 0) {
status = map_nt_error_from_unix(errno);
}
unbecome_root();
return status;
=======
Please note that windows Administrator user can successfully change the
owner.
Below the output you requested [note that the user 'andrea' (id 11142)
wants to set the owner of the directory to user 'betty' (id 11150)]:
# testparm -s
Load smb config files from /opt/samba/etc/smb.conf
lpcfg_do_global_parameter: WARNING: The "enable privileges" option is
deprecated
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_DOMAIN_MEMBER
# Global parameters
[global]
client ldap sasl wrapping = plain
dedicated keytab file = /etc/krb5.keytab
disable spoolss = Yes
host msdfs = No
kerberos method = secrets and keytab
load printers = No
local master = No
log file = /opt/samba/log/%I-%M-%m.log
map to guest = Bad User
max log size = 100000
preferred master = No
printcap name = /dev/null
realm = HF3.LOCAL
security = ADS
server string = Data %h
winbind enum groups = Yes
winbind enum users = Yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
workgroup = HYPERFILE3
idmap config hyperfile3 : schema_mode = rfc2307
idmap config hyperfile3 : range = 10000-20000000
idmap config hyperfile3 : backend = rid
idmap config * : schema_mode = rfc2307
idmap config * : range = 3000-4000
idmap config * : backend = tdb
map acl inherit = Yes
vfs objects = zfsacl
[test]
dos filemode = Yes
path = /test
read only = No
nfs4: mode = special
nfs4: acedup = merge
# getent passwd 'HYPERFILE3\andrea'
HYPERFILE3\andrea:*:11142:10513::/home/HYPERFILE3/andrea:/bin/false
The ACL are as follow, basically administrator, andrea and betty have full
permission:
# ls -lVd /test/dir/
drwxr-xr-x+ 2 HYPERFILE3\andrea HYPERFILE3\domain users 4096 Feb 7
09:26 /test/dir/
owner@:rwxp-DaARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow
user:HYPERFILE3\administ:rwxpdDaARWcCos:fd----I:allow
user:HYPERFILE3\andrea:rwxpdDaARWcCos:fd----I:allow
user:HYPERFILE3\betty:rwxpdDaARWcCos:fd----I:allow
# net rpc rights list 'HYPERFILE3\andrea' -S 10.50.50.85 -U
administrator
Enter administrator's password:
SeBackupPrivilege
SeRestorePrivilege
Regards
Andrea
On Tue, Feb 7, 2023 at 3:10 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
>
>
> On 07/02/2023 12:23, Andrea Cucciarre via samba wrote:
> > Hello,
> >
> > I am struggling to change the owner of directories in Samba share,
from a
> > windows client.
> > In the Samba logs I can see the following error message:
> >
> > [2023/02/06 13:23:31.624803, 3]
> > ../../source3/modules/nfs4_acls.c:1042(smb_set_nt_acl_nfs4)
> > chown New folder, 11150, 4294967295 failed. Error > >
NT_STATUS_INVALID_OWNER.
> >
> > This points to the try_chown() in samba code, and as far as I can see
it
> > should allow the chown if the user has the SeRestorePrivilege.
> > From windows I have added the SeRestorePrivilege to that user, and
> actually
> > it seems samba can see it:
> >
> > # net rpc rights list 'DOMAIN\user' -S X.X.X.X -U
Administrator
> > SeBackupPrivilege
> > SeRestorePrivilege
> >
> > So I can't understand why Samba doesn't recognize the
SeRestorePrivilege
> > when handling a chown.
> >
> >
> > Regards
> > Andrea
>
> I think we are going to need more info here, starting with the current
> smb.conf (as shown by 'testparm -s'), the output of 'getent
passwd
> DOMAIN\\user', the permissions set on the directory at the moment.
>
> Your error message seems to be coming from the block of code in try_chown:
>
> /* only allow chown to the current user. This is more secure,
> and also copes with the case where the SID in a take ownership
> ACL is
> a local SID on the users workstation
> */
> if (uid != get_current_uid(fsp->conn)) {
> return NT_STATUS_INVALID_OWNER;
> }
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Andrea Cucciarre'
Global Technical Support Manager
Cloudian Inc.