Re: [Samba] Fwd: STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set
On Mon, Feb 27, 2012 at 04:55:29PM -0800, Jeremy Allison wrote: On Mon, Feb 27, 2012 at 03:12:49PM -0700, Tom Lee wrote: -- Forwarded message -- From: Tom Lee tlee2...@gmail.com Date: Mon, Feb 27, 2012 at 3:10 PM Subject: Re: [Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set To: Jeremy Allison j...@samba.org Jeremy thanks for your response. I didn't actually build Samba from sources I'm just running the version of Samba that comes with OpenSuse v12.1 which is 3.6.1-34.3.1.x86_64 . I'm pretty sure the chunk of code inside libcli/security/access_check.c you mentioned is enabled with this version, since before I gave the Administrator user SeSecurityPrivilege I was getting the NT_STATUS_PRIVILEGE_NOT_HELD error, then once I granted the privilege that error went away. But then I started getting the NT_STATUS_ACCESS_DENIED coming from the check in open.c smbd_calculate_access_mask. Please let me know if there is something else I should try or if you need any additional info on my configuration. Thanks. Ok, I've figured it out. The share security mask isn't being set correctly when you have these privileges. If you can build from source code, can you test the following patch (should apply cleanly to 3.6.x) ? Actually, ignore that previous patch (breaks other tests). Try this one instead - I think this fixes the problem in the right place. Jeremy. diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 34b24f3..f57e57f 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -732,6 +732,33 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum) } / + Setup the share access mask for a connection. +/ + +static void create_share_access_mask(connection_struct *conn, int snum) +{ + const struct security_token *token = conn-session_info-security_token; + + share_access_check(token, + lp_servicename(snum), + MAXIMUM_ALLOWED_ACCESS, + conn-share_access); + + if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { + conn-share_access |= SEC_FLAG_SYSTEM_SECURITY; + } + if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) { + conn-share_access |= (SEC_RIGHTS_PRIV_RESTORE); + } + if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) { + conn-share_access |= (SEC_RIGHTS_PRIV_BACKUP); + } + if (security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) { + conn-share_access |= (SEC_STD_WRITE_OWNER); + } +} + +/ Make a connection, given the snum to connect to, and the vuser of the connecting user if appropriate. / @@ -845,9 +872,7 @@ static connection_struct *make_connection_snum(struct smbd_server_connection *sc * */ - share_access_check(conn-session_info-security_token, - lp_servicename(snum), MAXIMUM_ALLOWED_ACCESS, - conn-share_access); + create_share_access_mask(conn, snum); if ((conn-share_access FILE_WRITE_DATA) == 0) { if ((conn-share_access FILE_READ_DATA) == 0) { -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set
I have tested with this fix and it looks like it does take care of the problem. We'll look forward to seeing this update in the latest 3.6.x codebase. Thanks a lot. On Tue, Feb 28, 2012 at 10:42 AM, Jeremy Allison j...@samba.org wrote: On Mon, Feb 27, 2012 at 04:55:29PM -0800, Jeremy Allison wrote: On Mon, Feb 27, 2012 at 03:12:49PM -0700, Tom Lee wrote: -- Forwarded message -- From: Tom Lee tlee2...@gmail.com Date: Mon, Feb 27, 2012 at 3:10 PM Subject: Re: [Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set To: Jeremy Allison j...@samba.org Jeremy thanks for your response. I didn't actually build Samba from sources I'm just running the version of Samba that comes with OpenSuse v12.1 which is 3.6.1-34.3.1.x86_64 . I'm pretty sure the chunk of code inside libcli/security/access_check.c you mentioned is enabled with this version, since before I gave the Administrator user SeSecurityPrivilege I was getting the NT_STATUS_PRIVILEGE_NOT_HELD error, then once I granted the privilege that error went away. But then I started getting the NT_STATUS_ACCESS_DENIED coming from the check in open.c smbd_calculate_access_mask. Please let me know if there is something else I should try or if you need any additional info on my configuration. Thanks. Ok, I've figured it out. The share security mask isn't being set correctly when you have these privileges. If you can build from source code, can you test the following patch (should apply cleanly to 3.6.x) ? Actually, ignore that previous patch (breaks other tests). Try this one instead - I think this fixes the problem in the right place. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set
On Tue, Feb 28, 2012 at 01:22:38PM -0700, Tom Lee wrote: I have tested with this fix and it looks like it does take care of the problem. We'll look forward to seeing this update in the latest 3.6.x codebase. Thanks a lot. Thanks ! It's tracked as bug #8784 https://bugzilla.samba.org/show_bug.cgi?id=8784 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set
-- Forwarded message -- From: Tom Lee tlee2...@gmail.com Date: Mon, Feb 27, 2012 at 3:10 PM Subject: Re: [Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set To: Jeremy Allison j...@samba.org Jeremy thanks for your response. I didn't actually build Samba from sources I'm just running the version of Samba that comes with OpenSuse v12.1 which is 3.6.1-34.3.1.x86_64 . I'm pretty sure the chunk of code inside libcli/security/access_check.c you mentioned is enabled with this version, since before I gave the Administrator user SeSecurityPrivilege I was getting the NT_STATUS_PRIVILEGE_NOT_HELD error, then once I granted the privilege that error went away. But then I started getting the NT_STATUS_ACCESS_DENIED coming from the check in open.c smbd_calculate_access_mask. Please let me know if there is something else I should try or if you need any additional info on my configuration. Thanks. On Mon, Feb 27, 2012 at 2:44 PM, Jeremy Allison j...@samba.org wrote: On Fri, Feb 24, 2012 at 09:00:36AM -0700, Tom Lee wrote: I've been trying to run a .NET app on Windows 2008 against a Samba v3.6.1 server running on OpenSuse x64 v12.1 but keep running into problems. What the .NET app is doing is trying to read the ACL for a directory using UNC path pointing to a directory below the users share on the samba server. The app is running as user Administrator. On the samba side the Administrator user has been given the following priviliges: SeSecurityPrivilege, SeRestorePrivilege, SeBackupPrivilege, and SeTakeOwnershipPrivilege. Specifically the .NET/C# method call being made is below: In this case srcFolderName is something like \\SambaServer\users\Administrator: DirectorySecurity srcFolderSecurity = Directory.GetAccessControl(srcFolderName, AccessControlSections.All); Calling this method results in an Exception. I can see from a Wireshark trace that the exception corresponds to an error being returned from a call to NTCreateAndx for a user folder named \Administrator and Access Mask set to 0x01020080. The bit that seems to cause problems when set is the System Security bit (0x0100). Originally before I had given user Administrator any privileges (using net rpc rights grant...), the NTCreateAndX response error was *STATUS_PRIVILEGE_NOT_HELD. After granting privileges the error changed to STATUS_ACCESS_DENIED. * * * *Looking at the log.smbd with debugLevel = 10. I can see the following relevant trace info:* * * * [2012/02/23 12:35:24.190992, 10] smbd/open.c:1430(smbd_calculate_access_mask) smbd_calculate_access_mask: Access denied on file Administrator: rejected by share access mask[0x101F01FF] orig[0x01020080] mapped[0x01020080] reject[0x0100] [2012/02/23 12:35:24.191049, 10] smbd/open.c:1761(open_file_ntcreate) open_file_ntcreate: smbd_calculate_access_mask on file Administrator returned NT_STATUS_ACCESS_DENIED [2012/02/23 12:35:24.191107, 5] smbd/files.c:464(file_free) freed files structure 9877 (0 used) [2012/02/23 12:35:24.191162, 10] smbd/open.c:3420(create_file_unixpath) create_file_unixpath: NT_STATUS_ACCESS_DENIED [2012/02/23 12:35:24.191216, 10] smbd/open.c:3700(create_file_default) create_file: NT_STATUS_ACCESS_DENIED Ok, there is this chunk of code inside libcli/security/access_check.c /* s3 had this with #if 0 previously. To be sure the merge doesn't change any behaviour, we have the above #if check on _SAMBA_BUILD_. */ if (access_desired SEC_FLAG_SYSTEM_SECURITY) { if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { bits_remaining = ~SEC_FLAG_SYSTEM_SECURITY; } else { return NT_STATUS_PRIVILEGE_NOT_HELD; } } in the current v3-6-test git tree. Can you check if this is #ifdef'ed out in your code ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set
On Mon, Feb 27, 2012 at 03:12:49PM -0700, Tom Lee wrote: -- Forwarded message -- From: Tom Lee tlee2...@gmail.com Date: Mon, Feb 27, 2012 at 3:10 PM Subject: Re: [Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set To: Jeremy Allison j...@samba.org Jeremy thanks for your response. I didn't actually build Samba from sources I'm just running the version of Samba that comes with OpenSuse v12.1 which is 3.6.1-34.3.1.x86_64 . I'm pretty sure the chunk of code inside libcli/security/access_check.c you mentioned is enabled with this version, since before I gave the Administrator user SeSecurityPrivilege I was getting the NT_STATUS_PRIVILEGE_NOT_HELD error, then once I granted the privilege that error went away. But then I started getting the NT_STATUS_ACCESS_DENIED coming from the check in open.c smbd_calculate_access_mask. Please let me know if there is something else I should try or if you need any additional info on my configuration. Thanks. Ok, I've figured it out. The share security mask isn't being set correctly when you have these privileges. If you can build from source code, can you test the following patch (should apply cleanly to 3.6.x) ? Jeremy. diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c index a9b618f..0fbfeaa 100644 --- a/libcli/security/access_check.c +++ b/libcli/security/access_check.c @@ -115,6 +115,21 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd, granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL; } + if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { + granted |= SEC_FLAG_SYSTEM_SECURITY; + } + + if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) { + granted |= (SEC_RIGHTS_PRIV_RESTORE); + } + if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) { + granted |= (SEC_RIGHTS_PRIV_BACKUP); + } + + if (security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) { + granted |= (SEC_STD_WRITE_OWNER); + } + if (sd-dacl == NULL) { return granted ~denied; } -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set
I'll see if I can pull down the sources and build with the added code and test. Thanks Jeremy. On Mon, Feb 27, 2012 at 5:55 PM, Jeremy Allison j...@samba.org wrote: On Mon, Feb 27, 2012 at 03:12:49PM -0700, Tom Lee wrote: -- Forwarded message -- From: Tom Lee tlee2...@gmail.com Date: Mon, Feb 27, 2012 at 3:10 PM Subject: Re: [Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set To: Jeremy Allison j...@samba.org Jeremy thanks for your response. I didn't actually build Samba from sources I'm just running the version of Samba that comes with OpenSuse v12.1 which is 3.6.1-34.3.1.x86_64 . I'm pretty sure the chunk of code inside libcli/security/access_check.c you mentioned is enabled with this version, since before I gave the Administrator user SeSecurityPrivilege I was getting the NT_STATUS_PRIVILEGE_NOT_HELD error, then once I granted the privilege that error went away. But then I started getting the NT_STATUS_ACCESS_DENIED coming from the check in open.c smbd_calculate_access_mask. Please let me know if there is something else I should try or if you need any additional info on my configuration. Thanks. Ok, I've figured it out. The share security mask isn't being set correctly when you have these privileges. If you can build from source code, can you test the following patch (should apply cleanly to 3.6.x) ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba