Re: [Samba] Can't modify ms word files with samba 3.3

Wed, 04 Mar 2009 16:22:49 -0800 

On Wed, Mar 04, 2009 at 08:47:25AM +0100, Olivier Doremieux wrote:
> Hello,
>
> I have the same problem with samba 3.3.0 and 3.3.1. I use to be able to  
> edit some MS Word file on a shared network.
> What should I do to fix this problem? Is there a way to change some  
> config file?

Ok, I think I have a good fix for this. The key is to properly
cause smbd to return NT_STATUS_PRIVILEGE_NOT_HELD and get
the client to fallback when it's asking for SEC_RIGHT_SYSTEM_SECURITY
(security ACL audit access) which we don't currently support.

Can you please apply this patch on top of 3.3.1 and see if
it fixes the problem ?

This supercedes my previous patch, which didn't work
as it would only cause NT_STATUS_PRIVILEGE_NOT_HELD to
be returned on status opens, not all opens.

Thanks,

Jeremy.

diff --git a/source/smbd/open.c b/source/smbd/open.c
index 9b51ff0..ee730c7 100644
--- a/source/smbd/open.c
+++ b/source/smbd/open.c
@@ -2382,6 +2382,14 @@ NTSTATUS open_directory(connection_struct *conn,
                return status;
        }
 
+       /* We need to support SeSecurityPrivilege for this. */
+       if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+               DEBUG(10, ("open_directory: open on %s "
+                       "failed - SEC_RIGHT_SYSTEM_SECURITY denied.\n",
+                       fname));
+               return NT_STATUS_PRIVILEGE_NOT_HELD;
+       }
+
        switch( create_disposition ) {
                case FILE_OPEN:
 
@@ -2915,8 +2923,23 @@ NTSTATUS create_file_unixpath(connection_struct *conn,
                status = NT_STATUS_PRIVILEGE_NOT_HELD;
                goto fail;
        }
+#else
+       /* We need to support SeSecurityPrivilege for this. */
+       if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+               status = NT_STATUS_PRIVILEGE_NOT_HELD;
+               goto fail;
+       }
+       /* Don't allow a SACL set from an NTtrans create until we
+        * support SeSecurityPrivilege. */
+       if (!VALID_STAT(sbuf) &&
+                       lp_nt_acl_support(SNUM(conn)) &&
+                       sd && (sd->sacl != NULL)) {
+               status = NT_STATUS_PRIVILEGE_NOT_HELD;
+               goto fail;
+       }
 #endif
 
+
        if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
            && is_ntfs_stream_name(fname)
            && (!(create_options & NTCREATEX_OPTIONS_PRIVATE_STREAM_DELETE))) {

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to