On Tue, Feb 24, 2009 at 09:33:56PM +0100, François Legal wrote:
> I tried this week to upgrade my samba 3.2.4 (2 PDCs one trusting the
> other) to samba 3.3.0 then samba 3.3.1, and apart from the problem
> with winbindd and trusted domain, my users are not able to modify any
> ms word document (excel does the same).
> You can open the file correctly, modify it, and when saving it, it
> pops up "Access denied"
> If you try to save the file in the same directory with another name,
> it does not work either (sam "access denied" message).
> I tried to set og level to 10, but could not find anything pointing
> me to the right direction.
> Can anybody help ?
Ok, looking in the log I've found the problem. The application
is asking for an access mask of 0x1020000, which maps to
READ_CONTROL_ACCESS (which we grant) and SEC_RIGHT_SYSTEM_SECURITY
(ie. access to the system security ACL - the audit ACL) on the
>From this page:
"SACL Access Right
The ACCESS_SYSTEM_SECURITY access right controls the ability to get or set the
SACL in an object's security descriptor. The system grants this access right
only if the SE_SECURITY_NAME privilege is enabled in the access token of the
We do not support the SE_SECURITY_NAME privilege and don't
allow setting SACLs (we don't support them).
Someone else has already raised this previously. Do your
users have the SE_SECURITY_NAME privilege in their local
tokens (ie. are they allowed to set SACLs on their local
filesystem). Does this happen to non-privileged users ?
A suggestion has been made to ignore the SEC_RIGHT_SYSTEM_SECURITY
request (just mask it out) for filesystem access while
we don't support SACLs, but I'm concerned as to why the
application is trying to request it ?
To unsubscribe from this list go to the following URL and read the