Re: [Samba] Can't modify ms word files with samba 3.3
On Tue, Mar 10, 2009 at 07:23:26AM +0100, Thomas Bork wrote: > David C. Rankin wrote: > >>> Ok, I think the following patch should fix the issues >>> you're seeing. It should apply on top of, or in place >>> of my previous patch - shouldn't matter. >>> It causes all opens requiring SEC_RIGHT_SYSTEM_SECURITY >>> to fail as Windows does with NT_STATUS_PRIVILEGE_NOT_HELD, >>> which should cause the client to correctly back down >>> and rety the open without this privilege. >>> Let me know if it works for you ! > > Is this fix also needed for Samba 3.0.x? I cannot find something in > > http://git.samba.org/?p=samba.git;a=shortlog;h=v3-0-test No, Samba 3.0.x doesn't do the acl checking in the same way so isn't affected by this bug. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't modify ms word files with samba 3.3
David C. Rankin wrote: Ok, I think the following patch should fix the issues you're seeing. It should apply on top of, or in place of my previous patch - shouldn't matter. It causes all opens requiring SEC_RIGHT_SYSTEM_SECURITY to fail as Windows does with NT_STATUS_PRIVILEGE_NOT_HELD, which should cause the client to correctly back down and rety the open without this privilege. Let me know if it works for you ! Is this fix also needed for Samba 3.0.x? I cannot find something in http://git.samba.org/?p=samba.git;a=shortlog;h=v3-0-test -- der tom -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't modify ms word files with samba 3.3
Jeremy Allison wrote: > On Wed, Mar 04, 2009 at 07:29:15PM +0100, Michele Petrazzo - Unipex srl wrote: >> Jeremy Allison wrote: >>> Ok, that's very helpful and also tells me why I've >>> seen few problem reports of this. >>> >>> Can you try the test patch for 3.3.1 I just >>> published ? >> The error changes: >> before I had a Access Deny and now a "there's been a network error" >> >> here is the picture: >> http://s5.tinypic.com/xcpug6.jpg >> >>> A wireshark trace between Office2K7 >>> and a Windows server would also be very helpful. >>> >> I'll do in few minutes and I'll send you it. > > Ok, I think the following patch should fix the issues > you're seeing. It should apply on top of, or in place > of my previous patch - shouldn't matter. > > It causes all opens requiring SEC_RIGHT_SYSTEM_SECURITY > to fail as Windows does with NT_STATUS_PRIVILEGE_NOT_HELD, > which should cause the client to correctly back down > and rety the open without this privilege. > > Let me know if it works for you ! > > Thanks, > > Jeremy. > Jeremy, All, I installed 3.3.1 in standalone mode on openSuSE 11.0. No problems reading and writing MS Word files to/from the server with Word 2007 (word 97-03 .doc format) I pulled level 10's just in case anyone wanted to see them for comparison, etc.. (Not that they would show anything that exciting) -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't modify ms word files with samba 3.3
Jeremy Allison wrote: Ok, I think the following patch should fix the issues you're seeing. It should apply on top of, or in place of my previous patch - shouldn't matter. YES! It's the right one! Just tried with xp and Office2k7 and it correctly opens and save a .docx file! Thanks a lot! Michele -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't modify ms word files with samba 3.3
On Tue, Feb 24, 2009 at 09:33:56PM +0100, François Legal wrote:
>
>
> Hello,
> I tried this week to upgrade my samba 3.2.4 (2 PDCs one trusting the
> other) to samba 3.3.0 then samba 3.3.1, and apart from the problem
> with winbindd and trusted domain, my users are not able to modify any
> ms word document (excel does the same).
>
> You can open the file correctly, modify it, and when saving it, it
> pops up "Access denied"
>
> If you try to save the file in the same directory with another name,
> it does not work either (sam "access denied" message).
> I tried to set og level to 10, but could not find anything pointing
> me to the right direction.
> Can anybody help ?
Ok, I think this patch should fix the problem. If you can
confirm it works for you then I'll put it into 3.3.2.
Thanks !
Jeremy.
diff --git a/source/smbd/open.c b/source/smbd/open.c
index 9b51ff0..ee730c7 100644
--- a/source/smbd/open.c
+++ b/source/smbd/open.c
@@ -2382,6 +2382,14 @@ NTSTATUS open_directory(connection_struct *conn,
return status;
}
+ /* We need to support SeSecurityPrivilege for this. */
+ if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+ DEBUG(10, ("open_directory: open on %s "
+ "failed - SEC_RIGHT_SYSTEM_SECURITY denied.\n",
+ fname));
+ return NT_STATUS_PRIVILEGE_NOT_HELD;
+ }
+
switch( create_disposition ) {
case FILE_OPEN:
@@ -2915,8 +2923,23 @@ NTSTATUS create_file_unixpath(connection_struct *conn,
status = NT_STATUS_PRIVILEGE_NOT_HELD;
goto fail;
}
+#else
+ /* We need to support SeSecurityPrivilege for this. */
+ if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+ status = NT_STATUS_PRIVILEGE_NOT_HELD;
+ goto fail;
+ }
+ /* Don't allow a SACL set from an NTtrans create until we
+* support SeSecurityPrivilege. */
+ if (!VALID_STAT(sbuf) &&
+ lp_nt_acl_support(SNUM(conn)) &&
+ sd && (sd->sacl != NULL)) {
+ status = NT_STATUS_PRIVILEGE_NOT_HELD;
+ goto fail;
+ }
#endif
+
if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
&& is_ntfs_stream_name(fname)
&& (!(create_options & NTCREATEX_OPTIONS_PRIVATE_STREAM_DELETE))) {
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't modify ms word files with samba 3.3
On Wed, Mar 04, 2009 at 07:29:15PM +0100, Michele Petrazzo - Unipex srl wrote:
> Jeremy Allison wrote:
>> Ok, that's very helpful and also tells me why I've
>> seen few problem reports of this.
>>
>> Can you try the test patch for 3.3.1 I just
>> published ?
>
> The error changes:
> before I had a Access Deny and now a "there's been a network error"
>
> here is the picture:
> http://s5.tinypic.com/xcpug6.jpg
>
>> A wireshark trace between Office2K7
>> and a Windows server would also be very helpful.
>>
>
> I'll do in few minutes and I'll send you it.
Ok, I think the following patch should fix the issues
you're seeing. It should apply on top of, or in place
of my previous patch - shouldn't matter.
It causes all opens requiring SEC_RIGHT_SYSTEM_SECURITY
to fail as Windows does with NT_STATUS_PRIVILEGE_NOT_HELD,
which should cause the client to correctly back down
and rety the open without this privilege.
Let me know if it works for you !
Thanks,
Jeremy.
diff --git a/source/smbd/open.c b/source/smbd/open.c
index 9b51ff0..ee730c7 100644
--- a/source/smbd/open.c
+++ b/source/smbd/open.c
@@ -2382,6 +2382,14 @@ NTSTATUS open_directory(connection_struct *conn,
return status;
}
+ /* We need to support SeSecurityPrivilege for this. */
+ if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+ DEBUG(10, ("open_directory: open on %s "
+ "failed - SEC_RIGHT_SYSTEM_SECURITY denied.\n",
+ fname));
+ return NT_STATUS_PRIVILEGE_NOT_HELD;
+ }
+
switch( create_disposition ) {
case FILE_OPEN:
@@ -2915,8 +2923,23 @@ NTSTATUS create_file_unixpath(connection_struct *conn,
status = NT_STATUS_PRIVILEGE_NOT_HELD;
goto fail;
}
+#else
+ /* We need to support SeSecurityPrivilege for this. */
+ if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+ status = NT_STATUS_PRIVILEGE_NOT_HELD;
+ goto fail;
+ }
+ /* Don't allow a SACL set from an NTtrans create until we
+* support SeSecurityPrivilege. */
+ if (!VALID_STAT(sbuf) &&
+ lp_nt_acl_support(SNUM(conn)) &&
+ sd && (sd->sacl != NULL)) {
+ status = NT_STATUS_PRIVILEGE_NOT_HELD;
+ goto fail;
+ }
#endif
+
if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
&& is_ntfs_stream_name(fname)
&& (!(create_options & NTCREATEX_OPTIONS_PRIVATE_STREAM_DELETE))) {
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't modify ms word files with samba 3.3
On Wed, Mar 04, 2009 at 08:47:25AM +0100, Olivier Doremieux wrote:
> Hello,
>
> I have the same problem with samba 3.3.0 and 3.3.1. I use to be able to
> edit some MS Word file on a shared network.
> What should I do to fix this problem? Is there a way to change some
> config file?
Ok, I think I have a good fix for this. The key is to properly
cause smbd to return NT_STATUS_PRIVILEGE_NOT_HELD and get
the client to fallback when it's asking for SEC_RIGHT_SYSTEM_SECURITY
(security ACL audit access) which we don't currently support.
Can you please apply this patch on top of 3.3.1 and see if
it fixes the problem ?
This supercedes my previous patch, which didn't work
as it would only cause NT_STATUS_PRIVILEGE_NOT_HELD to
be returned on status opens, not all opens.
Thanks,
Jeremy.
diff --git a/source/smbd/open.c b/source/smbd/open.c
index 9b51ff0..ee730c7 100644
--- a/source/smbd/open.c
+++ b/source/smbd/open.c
@@ -2382,6 +2382,14 @@ NTSTATUS open_directory(connection_struct *conn,
return status;
}
+ /* We need to support SeSecurityPrivilege for this. */
+ if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+ DEBUG(10, ("open_directory: open on %s "
+ "failed - SEC_RIGHT_SYSTEM_SECURITY denied.\n",
+ fname));
+ return NT_STATUS_PRIVILEGE_NOT_HELD;
+ }
+
switch( create_disposition ) {
case FILE_OPEN:
@@ -2915,8 +2923,23 @@ NTSTATUS create_file_unixpath(connection_struct *conn,
status = NT_STATUS_PRIVILEGE_NOT_HELD;
goto fail;
}
+#else
+ /* We need to support SeSecurityPrivilege for this. */
+ if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+ status = NT_STATUS_PRIVILEGE_NOT_HELD;
+ goto fail;
+ }
+ /* Don't allow a SACL set from an NTtrans create until we
+* support SeSecurityPrivilege. */
+ if (!VALID_STAT(sbuf) &&
+ lp_nt_acl_support(SNUM(conn)) &&
+ sd && (sd->sacl != NULL)) {
+ status = NT_STATUS_PRIVILEGE_NOT_HELD;
+ goto fail;
+ }
#endif
+
if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
&& is_ntfs_stream_name(fname)
&& (!(create_options & NTCREATEX_OPTIONS_PRIVATE_STREAM_DELETE))) {
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't modify ms word files with samba 3.3
On Wed, Mar 04, 2009 at 07:29:15PM +0100, Michele Petrazzo - Unipex srl wrote: > Jeremy Allison wrote: >> Ok, that's very helpful and also tells me why I've >> seen few problem reports of this. >> >> Can you try the test patch for 3.3.1 I just >> published ? > > The error changes: > before I had a Access Deny and now a "there's been a network error" > > here is the picture: > http://s5.tinypic.com/xcpug6.jpg Ok, thanks. So that's not the answer. >> A wireshark trace between Office2K7 >> and a Windows server would also be very helpful. >> > > I'll do in few minutes and I'll send you it. Great - that will help a *lot* in tracking this down. I really need to see what happens with an unprivileged user requesting security ACL access against a Windows server with Office2K7. Please do the trace as a non-Administrator group user, I need to see this work with the least privileged user you have :-). Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't modify ms word files with samba 3.3
Jeremy Allison wrote: Ok, that's very helpful and also tells me why I've seen few problem reports of this. Can you try the test patch for 3.3.1 I just published ? The error changes: before I had a Access Deny and now a "there's been a network error" here is the picture: http://s5.tinypic.com/xcpug6.jpg A wireshark trace between Office2K7 and a Windows server would also be very helpful. I'll do in few minutes and I'll send you it. Michele -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't modify ms word files with samba 3.3
On Wed, Mar 04, 2009 at 06:56:40PM +0100, Michele Petrazzo - Unipex srl wrote: > François Legal wrote: >> > > > Same here. > My env are all inside virtualized machines: win2k server, debian lenny with > 3.3.1 as "servers" and joined into win2k domain, win2k pro and win xp pro > (both joined) as clients. > > I have 1 share (called test) where I made my tests. > > xp has office 2k7 and OpenOffice.org 3 > win2k has office 2k and OOo.org 3 > > (all the tests are with the same user logged on into the domain) > xp can create folders/files on share and can modify them with all the > programs, except office 2k7. with it, I receive an "Access Deny" > with OOo.org all works > > win2k can do anything with OOo.org and with office 2k > > files saved with office2k can be opened with office xp but not saved > > OOo.org can open and save the .doc files created with the 2k > > OOo.org can use the "share spreadsheet" function without problem! > > From my test appear that there is a problem only with 2k7 > > If you need I can send you the debug with level 10 > > P.s. I can also share my environment with the developers since are all > in vbox! Contact me for that. Ok, that's very helpful and also tells me why I've seen few problem reports of this. Can you try the test patch for 3.3.1 I just published ? A wireshark trace between Office2K7 and a Windows server would also be very helpful. Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't modify ms word files with samba 3.3
François Legal wrote: Same here. My env are all inside virtualized machines: win2k server, debian lenny with 3.3.1 as "servers" and joined into win2k domain, win2k pro and win xp pro (both joined) as clients. I have 1 share (called test) where I made my tests. xp has office 2k7 and OpenOffice.org 3 win2k has office 2k and OOo.org 3 (all the tests are with the same user logged on into the domain) xp can create folders/files on share and can modify them with all the programs, except office 2k7. with it, I receive an "Access Deny" with OOo.org all works win2k can do anything with OOo.org and with office 2k files saved with office2k can be opened with office xp but not saved OOo.org can open and save the .doc files created with the 2k OOo.org can use the "share spreadsheet" function without problem! From my test appear that there is a problem only with 2k7 If you need I can send you the debug with level 10 P.s. I can also share my environment with the developers since are all in vbox! Contact me for that. Thanks, Michele -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't modify ms word files with samba 3.3
On Wed, Mar 04, 2009 at 08:47:25AM +0100, Olivier Doremieux wrote:
> Hello,
>
> I have the same problem with samba 3.3.0 and 3.3.1. I use to be able to
> edit some MS Word file on a shared network.
> What should I do to fix this problem? Is there a way to change some
> config file?
Can you try this patch please ? I'm trying to get more information
about this problem, and this would help me determine what might be
wrong.
Thanks,
Jeremy.
diff --git a/source/lib/util_seaccess.c b/source/lib/util_seaccess.c
index 0da7442..ab0f09b 100644
--- a/source/lib/util_seaccess.c
+++ b/source/lib/util_seaccess.c
@@ -179,17 +179,20 @@ NTSTATUS se_access_check(const struct security_descriptor
*sd,
bits_remaining));
}
-#if 0
- /* We need to support SeSecurityPrivilege for this. */
if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
+#if 0
+ /* We need to support SeSecurityPrivilege for this. */
if (user_has_privileges(token, &sec_security)) {
bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
} else {
return NT_STATUS_PRIVILEGE_NOT_HELD;
}
- }
+#else
+ return NT_STATUS_PRIVILEGE_NOT_HELD;
+
#endif
+ }
/* a NULL dacl allows access */
if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't modify ms word files with samba 3.3
On Thu, Feb 26, 2009 at 12:26:52AM +0100, François Legal wrote:
>
> To be honnest, I did not really understand what SACL is. Are you talking
> about file and directories ACLs ?
>
> How do I know if my users have the SE_SECURITY_NAME priviledge. My users
> (especially the one who is accessing the file in the log) are normal users
> without any specific priviledge (not even doamin admins nor local
> workstation admin). However, they're not prevented from setting files and
> directories ACLs neither on local nor network drives (they're welcome to as
> our filesystems are XFS).
>
> About the application requesting something specific, I don't know. The
> file was created with that same version of MS Word (2007) by that same user
> (the one trying to modify it as in the log) but with another samba version
> (one of 3.2.0 3.2.2 or 3.2.4)
>
> Where should I go from here?
Ok, can you try this patch against 3.3.1 ? It might change
client behavior, as at the moment we return NT_STATUS_ACCESS_DENIED
when a client asks for SEC_FLAG_SYSTEM_SECURITY access to a file
(which is a request to get at the system security audit ACL).
The patch changes our behavior to return an error of
NT_STATUS_PRIVILEGE_NOT_HELD
instead, which may then cause the client to fallback to asking
for less privileges on the open (thus allowing it to succeed).
Thanks,
Jeremy.
diff --git a/source/lib/util_seaccess.c b/source/lib/util_seaccess.c
index 0da7442..ab0f09b 100644
--- a/source/lib/util_seaccess.c
+++ b/source/lib/util_seaccess.c
@@ -179,17 +179,20 @@ NTSTATUS se_access_check(const struct security_descriptor
*sd,
bits_remaining));
}
-#if 0
- /* We need to support SeSecurityPrivilege for this. */
if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
+#if 0
+ /* We need to support SeSecurityPrivilege for this. */
if (user_has_privileges(token, &sec_security)) {
bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
} else {
return NT_STATUS_PRIVILEGE_NOT_HELD;
}
- }
+#else
+ return NT_STATUS_PRIVILEGE_NOT_HELD;
+
#endif
+ }
/* a NULL dacl allows access */
if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't modify ms word files with samba 3.3
On Wed, Mar 04, 2009 at 08:47:25AM +0100, Olivier Doremieux wrote: > Hello, > > I have the same problem with samba 3.3.0 and 3.3.1. I use to be able to > edit some MS Word file on a shared network. > What should I do to fix this problem? Is there a way to change some > config file? Can you get me a debug level 10 log of the problem. I've seen some reports of this and usually it's requests from the clients to open the files with the access bit SEC_FLAG_SYSTEM_SECURITY, which is a privilege we don't support. We *shouldn't* be allowing opens with this bit, as it is specific to modifying security (audit) ACLs which normal users don't have access to. Can you try from the same clients against a Windows server and see what is returned when clients request an open with SEC_FLAG_SYSTEM_SECURITY set ? A wireshark trace between a Word client and Windows server should show this. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can't modify ms word files with samba 3.3
Hello, I have the same problem with samba 3.3.0 and 3.3.1. I use to be able to edit some MS Word file on a shared network. What should I do to fix this problem? Is there a way to change some config file? Thanks in advance, Olivier DOREMIEUX -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't modify ms word files with samba 3.3
> Ok, looking in the log I've found the problem. The application > is asking for an access mask of 0x102, which maps to > > READ_CONTROL_ACCESS (which we grant) and SEC_RIGHT_SYSTEM_SECURITY > (ie. access to the system security ACL - the audit ACL) on the > file. > > From this page: > > http://msdn.microsoft.com/en-us/library/aa379321(VS.85).aspx > > "SACL Access Right > > The ACCESS_SYSTEM_SECURITY access right controls the ability to get or set > the SACL in an object's security descriptor. The system grants this access > right only if the SE_SECURITY_NAME privilege is enabled in the access token > of the requesting thread." > > We do not support the SE_SECURITY_NAME privilege and don't > allow setting SACLs (we don't support them). > > Someone else has already raised this previously. Do your > users have the SE_SECURITY_NAME privilege in their local > tokens (ie. are they allowed to set SACLs on their local > filesystem). Does this happen to non-privileged users ? > > A suggestion has been made to ignore the SEC_RIGHT_SYSTEM_SECURITY > request (just mask it out) for filesystem access while > we don't support SACLs, but I'm concerned as to why the > application is trying to request it ? > > Jeremy. To be honnest, I did not really understand what SACL is. Are you talking about file and directories ACLs ? How do I know if my users have the SE_SECURITY_NAME priviledge. My users (especially the one who is accessing the file in the log) are normal users without any specific priviledge (not even doamin admins nor local workstation admin). However, they're not prevented from setting files and directories ACLs neither on local nor network drives (they're welcome to as our filesystems are XFS). About the application requesting something specific, I don't know. The file was created with that same version of MS Word (2007) by that same user (the one trying to modify it as in the log) but with another samba version (one of 3.2.0 3.2.2 or 3.2.4) Where should I go from here? Thank youfor helping François -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't modify ms word files with samba 3.3
On Tue, Feb 24, 2009 at 09:33:56PM +0100, François Legal wrote: > > > Hello, > I tried this week to upgrade my samba 3.2.4 (2 PDCs one trusting the > other) to samba 3.3.0 then samba 3.3.1, and apart from the problem > with winbindd and trusted domain, my users are not able to modify any > ms word document (excel does the same). > > You can open the file correctly, modify it, and when saving it, it > pops up "Access denied" > > If you try to save the file in the same directory with another name, > it does not work either (sam "access denied" message). > I tried to set og level to 10, but could not find anything pointing > me to the right direction. > Can anybody help ? Ok, looking in the log I've found the problem. The application is asking for an access mask of 0x102, which maps to READ_CONTROL_ACCESS (which we grant) and SEC_RIGHT_SYSTEM_SECURITY (ie. access to the system security ACL - the audit ACL) on the file. >From this page: http://msdn.microsoft.com/en-us/library/aa379321(VS.85).aspx "SACL Access Right The ACCESS_SYSTEM_SECURITY access right controls the ability to get or set the SACL in an object's security descriptor. The system grants this access right only if the SE_SECURITY_NAME privilege is enabled in the access token of the requesting thread." We do not support the SE_SECURITY_NAME privilege and don't allow setting SACLs (we don't support them). Someone else has already raised this previously. Do your users have the SE_SECURITY_NAME privilege in their local tokens (ie. are they allowed to set SACLs on their local filesystem). Does this happen to non-privileged users ? A suggestion has been made to ignore the SEC_RIGHT_SYSTEM_SECURITY request (just mask it out) for filesystem access while we don't support SACLs, but I'm concerned as to why the application is trying to request it ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't modify ms word files with samba 3.3
On Tue, Feb 24, 2009 at 09:33:56PM +0100, François Legal wrote: > > > Hello, > I tried this week to upgrade my samba 3.2.4 (2 PDCs one trusting the > other) to samba 3.3.0 then samba 3.3.1, and apart from the problem > with winbindd and trusted domain, my users are not able to modify any > ms word document (excel does the same). > > You can open the file correctly, modify it, and when saving it, it > pops up "Access denied" > > If you try to save the file in the same directory with another name, > it does not work either (sam "access denied" message). > I tried to set og level to 10, but could not find anything pointing > me to the right direction. > Can anybody help ? Can you send in a debug level 10 log please. This was a bug we fixed for 3.3.1, so I'm concerned that it isn't working for you. Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can't modify ms word files with samba 3.3
Hello, I tried this week to upgrade my samba 3.2.4 (2 PDCs one trusting the other) to samba 3.3.0 then samba 3.3.1, and apart from the problem with winbindd and trusted domain, my users are not able to modify any ms word document (excel does the same). You can open the file correctly, modify it, and when saving it, it pops up "Access denied" If you try to save the file in the same directory with another name, it does not work either (sam "access denied" message). I tried to set og level to 10, but could not find anything pointing me to the right direction. Can anybody help ? François -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
