On Tue, Dec 18, 2012 at 12:24:04PM -0600, Steve Tice wrote: > Can anybody provide the expected response to an SMB2 CREATE request that > includes ACCESS_SYSTEM_SECURITY in the DesiredAccess mask? I’m particularly > interested in cases where the SMB client is connected as an authenticated > user with administrative (superuser) privileges on the share, and has made > the request on a directory. Should such a client expect full (read/change) > access to the SACL (under any conditions)? > > The question above is theoretical in nature. Practically speaking, does any > version of the Samba server respond correctly to the request described > above? I have a Windows application that makes such a request, and have > tested it against Samba server versions 3.5.10-125.el6 and 3.6.7. I keep > seeing a response of NT_STATUS_PRIVILEGE_NOT_HELD, and think that's not the > correct response when the client has superuser privileges - but perhaps my > expectation is wrong. If I make the same request while connected to a share > on a Windows server, the response is NT_STATUS_OK. > > Is there a Samba server configuration change I could make that would affect > the behavior? Is there any setup work to do prior to sending the SMB2 > CREATE request (for example, adding a privilege)?
You need to give the connected user the SeSecurity privilege. Jeremy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba