Bug 6987 - NT_SET_SECURITY_DESC fails
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: Other Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: samba4-qa@samba.org
Depends on:
Blocks: 6600
  Show dependency treegraph
Reported: 2009-12-12 08:33 UTC by Matthieu Patou
Modified: 2010-03-05 01:18 UTC (History)
1 user (show)

See Also:

Fix proposal (1.21 KB, patch)
2010-03-01 07:53 UTC, Matthieu Patou
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2009-12-12 08:33:34 UTC
With a user of the group administrator but not the default administrator (ie. CN=Administrator,CN=Users,...) the SMB command fails with NT_ACCESS_DENIED.

My hypothesis is that the NT_SET_SECURITY_DESC tries to set a owner that is not the current user but domain admin groups and the command is most probably executing with the right of the user in Linux. As a simple user can not change ownership of a file it is reported as an error to samba which after report it to the caller.
Comment 1 Matthieu Patou 2010-03-01 05:59:25 UTC
Tridge can you have a look on this pb ?
Comment 2 Matthieu Patou 2010-03-01 07:53:43 UTC
Created attachment 5435 [details]
Fix proposal

The function was trying to change owner/group but the user doing this might not have the root rights.
So I propose to become root during the time we change uid/gid.
Comment 3 Andrew Bartlett 2010-03-02 03:13:17 UTC
I have to say, the use of become_root() spooks me.  Please don't merge this until it has been carefully reviewed, and the change in our security architecture is approved. 
Comment 4 Matthieu Patou 2010-03-05 01:18:30 UTC
I test it's ok no more access denied on this kind of request.