Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask has System Security bit set
175 views
Skip to first unread message
Tom Lee
Feb 24, 2012, 11:10:02 AM2/24/12
to
I've been trying to run a .NET app on Windows 2008 against a Samba v3.6.1
server running on OpenSuse x64 v12.1 but keep running into problems.
What the .NET app is doing is trying to read the ACL for a directory using
UNC path pointing to a directory below the "users" share on the samba
server. The app is running as user Administrator. On the samba side the
Administrator user has been given the following priviliges:
SeSecurityPrivilege, SeRestorePrivilege, SeBackupPrivilege, and
SeTakeOwnershipPrivilege.
Specifically the .NET/C# method call being made is below: In this case
srcFolderName is something like "\\SambaServer\users\Administrator":
DirectorySecurity srcFolderSecurity =
Directory.GetAccessControl(srcFolderName, AccessControlSections.All);
Calling this method results in an Exception. I can see from a Wireshark
trace that the exception corresponds to an error being returned from a call
to NTCreateAndx for a user folder named "\Administrator" and Access Mask
set to 0x01020080. The bit that seems to cause problems when set is the
System Security bit (0x01000000).
Originally before I had given user Administrator any privileges (using net
rpc rights grant...), the NTCreateAndX response error was
*STATUS_PRIVILEGE_NOT_HELD.
After granting privileges the error changed to STATUS_ACCESS_DENIED. *
*
*
*Looking at the log.smbd with debugLevel = 10. I can see the following
relevant trace info:*
*
*
*
[2012/02/23 12:35:24.190992, 10]
smbd/open.c:1430(smbd_calculate_access_mask)
smbd_calculate_access_mask: Access denied on file Administrator: rejected
by share access mask[0x101F01FF] orig[0x01020080] mapped[0x01020080]
reject[0x01000000]
[2012/02/23 12:35:24.191049, 10] smbd/open.c:1761(open_file_ntcreate)
open_file_ntcreate: smbd_calculate_access_mask on file Administrator
returned NT_STATUS_ACCESS_DENIED
[2012/02/23 12:35:24.191107, 5] smbd/files.c:464(file_free)
freed files structure 9877 (0 used)
[2012/02/23 12:35:24.191162, 10] smbd/open.c:3420(create_file_unixpath)
create_file_unixpath: NT_STATUS_ACCESS_DENIED
[2012/02/23 12:35:24.191216, 10] smbd/open.c:3700(create_file_default)
create_file: NT_STATUS_ACCESS_DENIED
Other things I've tried:
- Adding "admin users = Administrator" to the [users] share section in the
smb.conf
- Doing chmod 777 on all folders from the [users] share root and below
Am I missing anything? Is there anything else I can try to see if I can get
past the NT_STATUS_ACCESS_DENIED?
Thanks in advance for your help/suggestions.
*
*
*
*
*
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
server running on OpenSuse x64 v12.1 but keep running into problems.
What the .NET app is doing is trying to read the ACL for a directory using
UNC path pointing to a directory below the "users" share on the samba
server. The app is running as user Administrator. On the samba side the
Administrator user has been given the following priviliges:
SeSecurityPrivilege, SeRestorePrivilege, SeBackupPrivilege, and
SeTakeOwnershipPrivilege.
Specifically the .NET/C# method call being made is below: In this case
srcFolderName is something like "\\SambaServer\users\Administrator":
DirectorySecurity srcFolderSecurity =
Directory.GetAccessControl(srcFolderName, AccessControlSections.All);
Calling this method results in an Exception. I can see from a Wireshark
trace that the exception corresponds to an error being returned from a call
to NTCreateAndx for a user folder named "\Administrator" and Access Mask
set to 0x01020080. The bit that seems to cause problems when set is the
System Security bit (0x01000000).
Originally before I had given user Administrator any privileges (using net
rpc rights grant...), the NTCreateAndX response error was
*STATUS_PRIVILEGE_NOT_HELD.
After granting privileges the error changed to STATUS_ACCESS_DENIED. *
*
*
*Looking at the log.smbd with debugLevel = 10. I can see the following
relevant trace info:*
*
*
*
[2012/02/23 12:35:24.190992, 10]
smbd/open.c:1430(smbd_calculate_access_mask)
smbd_calculate_access_mask: Access denied on file Administrator: rejected
by share access mask[0x101F01FF] orig[0x01020080] mapped[0x01020080]
reject[0x01000000]
[2012/02/23 12:35:24.191049, 10] smbd/open.c:1761(open_file_ntcreate)
open_file_ntcreate: smbd_calculate_access_mask on file Administrator
returned NT_STATUS_ACCESS_DENIED
[2012/02/23 12:35:24.191107, 5] smbd/files.c:464(file_free)
freed files structure 9877 (0 used)
[2012/02/23 12:35:24.191162, 10] smbd/open.c:3420(create_file_unixpath)
create_file_unixpath: NT_STATUS_ACCESS_DENIED
[2012/02/23 12:35:24.191216, 10] smbd/open.c:3700(create_file_default)
create_file: NT_STATUS_ACCESS_DENIED
Other things I've tried:
- Adding "admin users = Administrator" to the [users] share section in the
smb.conf
- Doing chmod 777 on all folders from the [users] share root and below
Am I missing anything? Is there anything else I can try to see if I can get
past the NT_STATUS_ACCESS_DENIED?
Thanks in advance for your help/suggestions.
*
*
*
*
*
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jeremy Allison
Feb 27, 2012, 4:50:02 PM2/27/12
to
/* s3 had this with #if 0 previously. To be sure the merge
doesn't change any behaviour, we have the above #if check
on _SAMBA_BUILD_. */
if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
} else {
return NT_STATUS_PRIVILEGE_NOT_HELD;
}
}
in the current v3-6-test git tree. Can you check if this is
#ifdef'ed out in your code ?
Jeremy.
Tom Lee
Feb 27, 2012, 5:20:02 PM2/27/12
to
---------- Forwarded message ----------
From: Tom Lee <tlee...@gmail.com>
Date: Mon, Feb 27, 2012 at 3:10 PM
Subject: Re: [Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask
has System Security bit set
To: Jeremy Allison <j...@samba.org>
Jeremy thanks for your response. I didn't actually build Samba from
sources I'm just running the version of Samba that comes with OpenSuse
v12.1 which is 3.6.1-34.3.1.x86_64 .
I'm pretty sure the chunk of code inside libcli/security/access_check.c you
mentioned is enabled with this version, since before I gave the
Administrator user SeSecurityPrivilege I was getting the
NT_STATUS_PRIVILEGE_NOT_HELD error, then once I granted the privilege that
error went away. But then I started getting the NT_STATUS_ACCESS_DENIED
coming from the check in open.c smbd_calculate_access_mask.
Please let me know if there is something else I should try or if you need
any additional info on my configuration. Thanks.
From: Tom Lee <tlee...@gmail.com>
Date: Mon, Feb 27, 2012 at 3:10 PM
Subject: Re: [Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask
has System Security bit set
To: Jeremy Allison <j...@samba.org>
Jeremy thanks for your response. I didn't actually build Samba from
sources I'm just running the version of Samba that comes with OpenSuse
v12.1 which is 3.6.1-34.3.1.x86_64 .
I'm pretty sure the chunk of code inside libcli/security/access_check.c you
mentioned is enabled with this version, since before I gave the
Administrator user SeSecurityPrivilege I was getting the
NT_STATUS_PRIVILEGE_NOT_HELD error, then once I granted the privilege that
error went away. But then I started getting the NT_STATUS_ACCESS_DENIED
coming from the check in open.c smbd_calculate_access_mask.
Please let me know if there is something else I should try or if you need
any additional info on my configuration. Thanks.
Jeremy Allison
Feb 27, 2012, 8:00:02 PM2/27/12
to
On Mon, Feb 27, 2012 at 03:12:49PM -0700, Tom Lee wrote:
> ---------- Forwarded message ----------
> From: Tom Lee <tlee...@gmail.com>
> Date: Mon, Feb 27, 2012 at 3:10 PM
> Subject: Re: [Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask
> has System Security bit set
> To: Jeremy Allison <j...@samba.org>
>
>
> Jeremy thanks for your response. I didn't actually build Samba from
> sources I'm just running the version of Samba that comes with OpenSuse
> v12.1 which is 3.6.1-34.3.1.x86_64 .
>
> I'm pretty sure the chunk of code inside libcli/security/access_check.c you
> mentioned is enabled with this version, since before I gave the
> Administrator user SeSecurityPrivilege I was getting the
> NT_STATUS_PRIVILEGE_NOT_HELD error, then once I granted the privilege that
> error went away. But then I started getting the NT_STATUS_ACCESS_DENIED
> coming from the check in open.c smbd_calculate_access_mask.
>
> Please let me know if there is something else I should try or if you need
> any additional info on my configuration. Thanks.
Ok, I've figured it out. The share security mask isn't being
> ---------- Forwarded message ----------
> From: Tom Lee <tlee...@gmail.com>
> Date: Mon, Feb 27, 2012 at 3:10 PM
> Subject: Re: [Samba] STATUS_ACCESS_DENIED with NTCreateAndX if Access Mask
> has System Security bit set
> To: Jeremy Allison <j...@samba.org>
>
>
> Jeremy thanks for your response. I didn't actually build Samba from
> sources I'm just running the version of Samba that comes with OpenSuse
> v12.1 which is 3.6.1-34.3.1.x86_64 .
>
> I'm pretty sure the chunk of code inside libcli/security/access_check.c you
> mentioned is enabled with this version, since before I gave the
> Administrator user SeSecurityPrivilege I was getting the
> NT_STATUS_PRIVILEGE_NOT_HELD error, then once I granted the privilege that
> error went away. But then I started getting the NT_STATUS_ACCESS_DENIED
> coming from the check in open.c smbd_calculate_access_mask.
>
> Please let me know if there is something else I should try or if you need
> any additional info on my configuration. Thanks.
set correctly when you have these privileges.
If you can build from source code, can you test the
following patch (should apply cleanly to 3.6.x) ?
Jeremy.
Tom Lee
Feb 27, 2012, 8:20:05 PM2/27/12
to
I'll see if I can pull down the sources and build with the added code and
test. Thanks Jeremy.
test. Thanks Jeremy.
Tom Lee
Feb 28, 2012, 3:30:02 PM2/28/12
to
I have tested with this fix and it looks like it does take care of the
problem. We'll look forward to seeing this update in the latest 3.6.x
codebase. Thanks a lot.
problem. We'll look forward to seeing this update in the latest 3.6.x
codebase. Thanks a lot.
Jeremy Allison
Feb 28, 2012, 4:10:02 PM2/28/12
to
On Tue, Feb 28, 2012 at 01:22:38PM -0700, Tom Lee wrote:
> I have tested with this fix and it looks like it does take care of the
> problem. We'll look forward to seeing this update in the latest 3.6.x
> codebase. Thanks a lot.
Thanks ! It's tracked as bug #8784
> I have tested with this fix and it looks like it does take care of the
> problem. We'll look forward to seeing this update in the latest 3.6.x
> codebase. Thanks a lot.
https://bugzilla.samba.org/show_bug.cgi?id=8784
0 new messages