Bug 6921 - Changing ownership via give owner does not work on Samba
Changing ownership via give owner does not work on Samba
Product: Samba 3.4
Classification: Unclassified
Component: File services
Other Windows XP
: P3 normal
: ---
Assigned To: Volker Lendecke
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2009-11-23 16:32 UTC by Barry Sabsevitz
Modified: 2009-11-23 17:20 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Barry Sabsevitz 2009-11-23 16:32:43 UTC
Unfortunately, I don't have a lot of info on this one. But changing the owner of a file via Windows Explorer via a "give ownership" operation, fails with access denied. To reproduce:

1. Create a file as user 1
2. Try to change owner for the file from user 1 to user 2.

Putting some debugs in, it looks like the privilege checks that are occurring in try_chown(), where it checks to see if you have RESTORE privilege, are not working properly. It is reporting that I don't have RESTORE privilege, when in fact the user who is issuing the change ownership operation does. Because of this we fail the change ownership operation in try_chown() because we fall to the bottom of the routine and don't meet the requirements to perform the change ownership.

Does Samba support these kind of privileges? Looking elsewhere in the code, I see some indications that this support may not be there yet as I find #ifdef'd out code that is checking privileges.

I do see some messages in /var/log/smbd.log that say:

get_privileges: No privileges assigned to SID <sid string>

and that <sid string> is the SID that is performing the change ownership operation. Don't know if this is related to the problem or not.

"take ownership" works fine where you login as a user and change the owner to that user, but "give ownership" does not work. "give ownership" is where you login a user and try to change ownership of the file to a different user.
Comment 1 Jeremy Allison 2009-11-23 16:50:06 UTC
You need to assign restore privilege to the user in order for this to work. When you say "It is reporting that I don't have RESTORE privilege, when in
fact the user who is issuing the change ownership operation does." - how did you assign privilege to the user on the Samba server ? 

If you did not assign such privilege, then smbd is correct in denying this.

See this page:


on how to grant privileges to a user or group (Note that the privilege list on this page is out of date, as we do support the SeRestorePrivilege).

Comment 2 Jeremy Allison 2009-11-23 16:52:20 UTC
The relevant section in smbd/posix_acls.c is:

        if (lp_enable_privileges()) {

                bool has_take_ownership_priv = user_has_privileges(current_user.nt_user_token,
                bool has_restore_priv = user_has_privileges(current_user.nt_user_token,

                /* Case (2) */
                if ( ( has_take_ownership_priv && ( uid == current_user.ut.uid ) ) ||
                /* Case (3) */
                     ( has_restore_priv ) ) {

                        /* Keep the current file gid the same - take ownership doesn't imply group change. */
                        if (lp_posix_pathnames()) {
                                ret = SMB_VFS_LCHOWN(conn, smb_fname->base_name, uid,
                        } else {
                                ret = SMB_VFS_CHOWN(conn, smb_fname->base_name, uid,
                        return ret;

Comment 3 Barry Sabsevitz 2009-11-23 16:54:20 UTC
Aaah I see. Sorry, lack of knowledge on my part. I assumed it got the privileges from the AD server. It looks like the doc you pointed me to says you need to set these privileges on the Samba server. This defect can be closed then as a non-issue. Thanks for telling me about this. I had the privileges set on the AD server for the user who was doing the change ownership operation.
Comment 4 Volker Lendecke 2009-11-23 16:56:03 UTC
Privileges are always a local thing.

Look at "net sam rights"

Comment 5 Jeremy Allison 2009-11-23 17:11:11 UTC
Not a bug.
Comment 6 Barry Sabsevitz 2009-11-23 17:14:17 UTC
Actually I just tried it and it still doesn't work for me. I may be doing something silly.

I have an AD server in the mix and here is what I did on the Samba server:

net -S -U Administrator rpc rights grant 'ACTIVEDIR\Administrator' SeRestorePrivilege

I did this for Administrator and user test1. When I run net rpc rights list test1 or net rpc rights list administrator, it shows that they have the privilege. But the change ownership still fails for me saying the user doesn't have restore privilege.
Comment 7 Barry Sabsevitz 2009-11-23 17:15:03 UTC
is net sam rights different than net rpc rights? The documentation refers to net rpc. I'll try net sam.
Comment 8 Barry Sabsevitz 2009-11-23 17:20:22 UTC
Ok. It worked for me now. thanks. I used "net sam rights" and then had to restart the samba daemons.