Samba version : CVS from 11-08-2003 Tested with Windows 98 SE vanilla Defining permissions on a share via user-level access control only works if I'm logged in as root. This is a log snapshot when logged in as an ordinary user: [2003/08/11 21:14:14, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) Found policy hnd[0] [000] 00 00 00 00 02 00 00 00 00 00 00 00 06 EB 37 3F ........ .....ë7? [010] 82 04 00 00 .... [2003/08/11 21:14:14, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(105) _samr_lookup_domain: access check ((granted: 0000000000; required: 0x00000020) [2003/08/11 21:14:14, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(114) _samr_lookup_domain: ACCESS DENIED (granted: 0000000000; required: 0x00000020) And this is one when logged in as root: [2003/08/11 21:38:05, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) Found policy hnd[0] [000] 00 00 00 00 02 00 00 00 00 00 00 00 9D F0 37 3F ........ .....ð7? [010] 07 2A 00 00 .*.. [2003/08/11 21:38:05, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(105) _samr_lookup_domain: access check ((granted: 0000000000; required: 0x00000020) [2003/08/11 21:38:05, 4] rpc_server/srv_samr_nt.c:access_check_samr_function(109) _samr_lookup_domain: ACCESS should be DENIED (granted: 0000000000; required: 0x00000020) but overwritten by euid == 0 [2003/08/11 21:38:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2525) Returning domain sid for domain BRGTEST -> S-1-5-21-1742692863-3551596981-1734739981 Since even root seems to be missing SA_RIGHT_SAM_OPEN_DOMAIN right, I assume that there must be something wrong somewhere else (this 'ACCESS should be DENIED' looks like a workaround in my eyes). regards Dariush Forouher
This sounds like it is working as designed. Only root or an administrator can change the permissions of a share. Does it work if you add the user to the "admin users" smb.conf parameter?
Yes, putting an user into 'admin users' works as well. But I think I should explain this a bit more detailed: As an ordinary user, I can create new shares, close existing ones, even change permissions on ones, that I've created as root before (i.e. give some user who is already in the list additionally write-access) The only thing that doesn't work is adding new list entries, which windows denies with "the user list cannot be fetched. try again later". I have to admit that I don't know how this is being managed unter WinNT, but I'd be surprised if this is by design. (And IMHO at least Domain Admins should have access to this, too.) Another problem is that windows presents a blue screen everytime I connect to this win98 machine (even by an `smbclient -L win98mach`). It makes no difference if the user is in a access control list of a share or if he is not. Although I don't know if these two problems are related, it makes user-level access controls not very usable if every Domain User can bring down a win98 machine. regards Dariush
OK - thanks for the clarification. I think I misunderstood what the problem was.
Fixed by storing the access requested on the anonymous samr connect. Restricted this to enum_domain|open_domain. Added become/unbecome_root() around pdb_enum_group_mapping() enum domain groups samr call.
Created attachment 74 [details] log.smbd snapshot Yes, this fix solves the first problem. But the blue screen still appears everytime I connect to this machine ("fatal exception at 0028:C0004D3F in VXD VMM(01)+00003D3F ..."). It also happens only if the authentication is succesfull. This problem disappears if win98 is switched back to share-level access control. I've attached a level 10 debug log of smbd. It covers the time beginning at the execution of `smbclient -L win98mach -Uuser%pass` until the blue-screen appears. regards Dariush
originally reported against 3.0.0beta3. CLeaning out non-production release versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
database cleanup