Unfortunately, I don't have a lot of info on this one. But changing the owner of a file via Windows Explorer via a "give ownership" operation, fails with access denied. To reproduce: 1. Create a file as user 1 2. Try to change owner for the file from user 1 to user 2. Putting some debugs in, it looks like the privilege checks that are occurring in try_chown(), where it checks to see if you have RESTORE privilege, are not working properly. It is reporting that I don't have RESTORE privilege, when in fact the user who is issuing the change ownership operation does. Because of this we fail the change ownership operation in try_chown() because we fall to the bottom of the routine and don't meet the requirements to perform the change ownership. Does Samba support these kind of privileges? Looking elsewhere in the code, I see some indications that this support may not be there yet as I find #ifdef'd out code that is checking privileges. I do see some messages in /var/log/smbd.log that say: lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID <sid string> and that <sid string> is the SID that is performing the change ownership operation. Don't know if this is related to the problem or not. "take ownership" works fine where you login as a user and change the owner to that user, but "give ownership" does not work. "give ownership" is where you login a user and try to change ownership of the file to a different user.
You need to assign restore privilege to the user in order for this to work. When you say "It is reporting that I don't have RESTORE privilege, when in fact the user who is issuing the change ownership operation does." - how did you assign privilege to the user on the Samba server ? If you did not assign such privilege, then smbd is correct in denying this. See this page: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html on how to grant privileges to a user or group (Note that the privilege list on this page is out of date, as we do support the SeRestorePrivilege). Jeremy.
The relevant section in smbd/posix_acls.c is: if (lp_enable_privileges()) { bool has_take_ownership_priv = user_has_privileges(current_user.nt_user_token, &se_take_ownership); bool has_restore_priv = user_has_privileges(current_user.nt_user_token, &se_restore); /* Case (2) */ if ( ( has_take_ownership_priv && ( uid == current_user.ut.uid ) ) || /* Case (3) */ ( has_restore_priv ) ) { become_root(); /* Keep the current file gid the same - take ownership doesn't imply group change. */ if (lp_posix_pathnames()) { ret = SMB_VFS_LCHOWN(conn, smb_fname->base_name, uid, (gid_t)-1); } else { ret = SMB_VFS_CHOWN(conn, smb_fname->base_name, uid, (gid_t)-1); } unbecome_root(); return ret; } }
Aaah I see. Sorry, lack of knowledge on my part. I assumed it got the privileges from the AD server. It looks like the doc you pointed me to says you need to set these privileges on the Samba server. This defect can be closed then as a non-issue. Thanks for telling me about this. I had the privileges set on the AD server for the user who was doing the change ownership operation.
Privileges are always a local thing. Look at "net sam rights" Volker
Not a bug. Jeremy.
Actually I just tried it and it still doesn't work for me. I may be doing something silly. I have an AD server in the mix and here is what I did on the Samba server: net -S 10.30.252.84 -U Administrator rpc rights grant 'ACTIVEDIR\Administrator' SeRestorePrivilege I did this for Administrator and user test1. When I run net rpc rights list test1 or net rpc rights list administrator, it shows that they have the privilege. But the change ownership still fails for me saying the user doesn't have restore privilege.
is net sam rights different than net rpc rights? The documentation refers to net rpc. I'll try net sam.
Ok. It worked for me now. thanks. I used "net sam rights" and then had to restart the samba daemons.