Re: [Samba] Can't modify ms word files with samba 3.3

Wed, 04 Mar 2009 16:25:23 -0800 

On Wed, Mar 04, 2009 at 07:29:15PM +0100, Michele Petrazzo - Unipex srl wrote:
> Jeremy Allison wrote:
>> Ok, that's very helpful and also tells me why I've
>> seen few problem reports of this.
>>
>> Can you try the test patch for 3.3.1 I just
>> published ?
>
> The error changes:
> before I had a Access Deny and now a "there's been a network error"
>
> here is the picture:
> http://s5.tinypic.com/xcpug6.jpg
>
>>  A wireshark trace between Office2K7
>> and a Windows server would also be very helpful.
>>
>
> I'll do in few minutes and I'll send you it.

Ok, I think the following patch should fix the issues
you're seeing. It should apply on top of, or in place
of my previous patch - shouldn't matter.

It causes all opens requiring SEC_RIGHT_SYSTEM_SECURITY
to fail as Windows does with NT_STATUS_PRIVILEGE_NOT_HELD,
which should cause the client to correctly back down
and rety the open without this privilege.

Let me know if it works for you !

Thanks,

Jeremy.

diff --git a/source/smbd/open.c b/source/smbd/open.c
index 9b51ff0..ee730c7 100644
--- a/source/smbd/open.c
+++ b/source/smbd/open.c
@@ -2382,6 +2382,14 @@ NTSTATUS open_directory(connection_struct *conn,
                return status;
        }
 
+       /* We need to support SeSecurityPrivilege for this. */
+       if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+               DEBUG(10, ("open_directory: open on %s "
+                       "failed - SEC_RIGHT_SYSTEM_SECURITY denied.\n",
+                       fname));
+               return NT_STATUS_PRIVILEGE_NOT_HELD;
+       }
+
        switch( create_disposition ) {
                case FILE_OPEN:
 
@@ -2915,8 +2923,23 @@ NTSTATUS create_file_unixpath(connection_struct *conn,
                status = NT_STATUS_PRIVILEGE_NOT_HELD;
                goto fail;
        }
+#else
+       /* We need to support SeSecurityPrivilege for this. */
+       if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+               status = NT_STATUS_PRIVILEGE_NOT_HELD;
+               goto fail;
+       }
+       /* Don't allow a SACL set from an NTtrans create until we
+        * support SeSecurityPrivilege. */
+       if (!VALID_STAT(sbuf) &&
+                       lp_nt_acl_support(SNUM(conn)) &&
+                       sd && (sd->sacl != NULL)) {
+               status = NT_STATUS_PRIVILEGE_NOT_HELD;
+               goto fail;
+       }
 #endif
 
+
        if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
            && is_ntfs_stream_name(fname)
            && (!(create_options & NTCREATEX_OPTIONS_PRIVATE_STREAM_DELETE))) {

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to