On Tue, Feb 24, 2009 at 09:33:56PM +0100, François Legal wrote: > > > Hello, > I tried this week to upgrade my samba 3.2.4 (2 PDCs one trusting the > other) to samba 3.3.0 then samba 3.3.1, and apart from the problem > with winbindd and trusted domain, my users are not able to modify any > ms word document (excel does the same). > > You can open the file correctly, modify it, and when saving it, it > pops up "Access denied" > > If you try to save the file in the same directory with another name, > it does not work either (sam "access denied" message). > I tried to set og level to 10, but could not find anything pointing > me to the right direction. > Can anybody help ?
Ok, looking in the log I've found the problem. The application is asking for an access mask of 0x1020000, which maps to READ_CONTROL_ACCESS (which we grant) and SEC_RIGHT_SYSTEM_SECURITY (ie. access to the system security ACL - the audit ACL) on the file. >From this page: http://msdn.microsoft.com/en-us/library/aa379321(VS.85).aspx "SACL Access Right The ACCESS_SYSTEM_SECURITY access right controls the ability to get or set the SACL in an object's security descriptor. The system grants this access right only if the SE_SECURITY_NAME privilege is enabled in the access token of the requesting thread." We do not support the SE_SECURITY_NAME privilege and don't allow setting SACLs (we don't support them). Someone else has already raised this previously. Do your users have the SE_SECURITY_NAME privilege in their local tokens (ie. are they allowed to set SACLs on their local filesystem). Does this happen to non-privileged users ? A suggestion has been made to ignore the SEC_RIGHT_SYSTEM_SECURITY request (just mask it out) for filesystem access while we don't support SACLs, but I'm concerned as to why the application is trying to request it ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba