Reported by Tom Lee <tlee2951@gmail.com>: > On Fri, Feb 24, 2012 at 09:00:36AM -0700, Tom Lee wrote: > > I've been trying to run a .NET app on Windows 2008 against a Samba v3.6.1 > > server running on OpenSuse x64 v12.1 but keep running into problems. > > > > What the .NET app is doing is trying to read the ACL for a directory > using > > UNC path pointing to a directory below the "users" share on the samba > > server. The app is running as user Administrator. On the samba side the > > Administrator user has been given the following priviliges: > > SeSecurityPrivilege, SeRestorePrivilege, SeBackupPrivilege, and > > SeTakeOwnershipPrivilege. > > > > Specifically the .NET/C# method call being made is below: In this case > > srcFolderName is something like "\\SambaServer\users\Administrator": > > > > DirectorySecurity srcFolderSecurity = > > Directory.GetAccessControl(srcFolderName, AccessControlSections.All); > > > > Calling this method results in an Exception. I can see from a Wireshark > > trace that the exception corresponds to an error being returned from a > call > > to NTCreateAndx for a user folder named "\Administrator" and Access Mask > > set to 0x01020080. The bit that seems to cause problems when set is the > > System Security bit (0x01000000). > > > > Originally before I had given user Administrator any privileges (using > net > > rpc rights grant...), the NTCreateAndX response error was > > *STATUS_PRIVILEGE_NOT_HELD. > > After granting privileges the error changed to STATUS_ACCESS_DENIED. * > > * > > * > > *Looking at the log.smbd with debugLevel = 10. I can see the following > > relevant trace info:* > > * > > * > > * > > [2012/02/23 12:35:24.190992, 10] > > smbd/open.c:1430(smbd_calculate_access_mask) > > smbd_calculate_access_mask: Access denied on file Administrator: > rejected > > by share access mask[0x101F01FF] orig[0x01020080] mapped[0x01020080] > > reject[0x01000000] > > [2012/02/23 12:35:24.191049, 10] smbd/open.c:1761(open_file_ntcreate) > > open_file_ntcreate: smbd_calculate_access_mask on file Administrator > > returned NT_STATUS_ACCESS_DENIED > > [2012/02/23 12:35:24.191107, 5] smbd/files.c:464(file_free) > > freed files structure 9877 (0 used) > > [2012/02/23 12:35:24.191162, 10] smbd/open.c:3420(create_file_unixpath) > > create_file_unixpath: NT_STATUS_ACCESS_DENIED > > [2012/02/23 12:35:24.191216, 10] smbd/open.c:3700(create_file_default) > > create_file: NT_STATUS_ACCESS_DENIED
Created attachment 7352 [details] git-am fix for 3.6.next Fix applied to master, reported as fixing the bug by Tom Lee. Jeremy.
Comment on attachment 7352 [details] git-am fix for 3.6.next vl is out at the moment.
Comment on attachment 7352 [details] git-am fix for 3.6.next While this is not 100% correct (in adding the user's privileges to the tcon's share_access mask), I guess it is ok to take this for 3.6. In the long run, we might consider adding a mask to the user context and adding that up with the conn->share_access upon access.
Re-assigning to Karolin for inclusion in 3.6.next. Jeremy.
Pushed to v3-6-test. Closing out bug report. Thanks!