On Wed, Mar 04, 2009 at 07:29:15PM +0100, Michele Petrazzo - Unipex srl wrote: > Jeremy Allison wrote: >> Ok, that's very helpful and also tells me why I've >> seen few problem reports of this. >> >> Can you try the test patch for 3.3.1 I just >> published ? > > The error changes: > before I had a Access Deny and now a "there's been a network error" > > here is the picture: > http://s5.tinypic.com/xcpug6.jpg > >> A wireshark trace between Office2K7 >> and a Windows server would also be very helpful. >> > > I'll do in few minutes and I'll send you it.
Ok, I think the following patch should fix the issues you're seeing. It should apply on top of, or in place of my previous patch - shouldn't matter. It causes all opens requiring SEC_RIGHT_SYSTEM_SECURITY to fail as Windows does with NT_STATUS_PRIVILEGE_NOT_HELD, which should cause the client to correctly back down and rety the open without this privilege. Let me know if it works for you ! Thanks, Jeremy.
diff --git a/source/smbd/open.c b/source/smbd/open.c index 9b51ff0..ee730c7 100644 --- a/source/smbd/open.c +++ b/source/smbd/open.c @@ -2382,6 +2382,14 @@ NTSTATUS open_directory(connection_struct *conn, return status; } + /* We need to support SeSecurityPrivilege for this. */ + if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) { + DEBUG(10, ("open_directory: open on %s " + "failed - SEC_RIGHT_SYSTEM_SECURITY denied.\n", + fname)); + return NT_STATUS_PRIVILEGE_NOT_HELD; + } + switch( create_disposition ) { case FILE_OPEN: @@ -2915,8 +2923,23 @@ NTSTATUS create_file_unixpath(connection_struct *conn, status = NT_STATUS_PRIVILEGE_NOT_HELD; goto fail; } +#else + /* We need to support SeSecurityPrivilege for this. */ + if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) { + status = NT_STATUS_PRIVILEGE_NOT_HELD; + goto fail; + } + /* Don't allow a SACL set from an NTtrans create until we + * support SeSecurityPrivilege. */ + if (!VALID_STAT(sbuf) && + lp_nt_acl_support(SNUM(conn)) && + sd && (sd->sacl != NULL)) { + status = NT_STATUS_PRIVILEGE_NOT_HELD; + goto fail; + } #endif + if ((conn->fs_capabilities & FILE_NAMED_STREAMS) && is_ntfs_stream_name(fname) && (!(create_options & NTCREATEX_OPTIONS_PRIVATE_STREAM_DELETE))) {
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba