BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Mon, 13 Oct 2008 00:13:50 Z

I’ve found a bug in how Vista treats SeBackupPrivilege when accessing network shares exported by SMB version 1 servers. Even after SeBackupPrivilege is enabled in a Vista session, the SMB packets created by calls to FindFirstFile()/FindNextFile() will result in Access Denied if the NTFS ACL’s on the server would block the caller’s request. The result is that backup applications running on Vista cannot backup shares hosted on Windows 2003.

I’ve captured a packet trace using Microsoft Network Monitor 3.2 and attached it to this message. I believe the error can be seen in Frame 19. If you examine the FindFirst2ParamaterBlock section, you will see that BackupIntent is set to find without backup intent. This is an error. The BackupIntent needs to be enabled.

Download full capture

Interesting Note: I examined a similar packet trace initiated from a W2k3 client accessing the W2k3 server and it shows that BackupIntent is enabled. The request therefore succeeded.

What’s interesting is the problem does not manifest when accessing SMB2 exported shares. Vista clients have no difficulty accessing another Vista system acting as a server. The problem also does not manifest when W2k3 acts as a client accessing another W2k3 server (which is SMB version 1 to SMB version 1).

The problem only happens when accessing an SMB version 1 share exported from a W2k3 server, accessed from a Vista client.

The setup

On W2K3, create the folder C:\Temp\t\sub. Remove inheritance from the ACL of C:\Temp\t\sub. Set the owner to a non-administrator/”regular” user. Remove all other ACL’s. Share out C:\Temp

On Vista (32-bit Business Edition, SP1), open a command prompt as elevated Administrator. “NET USE” to the W2k3 share using the credentials of an account in the Backup Operator’s group of the W2k3 server.

Run the following program

#include "stdafx.h"

bool enablepriv(const TCHAR priv[]);

int recurse(TCHAR path[]);

int _tmain(int argc, _TCHAR* argv[]){

if (argc < 2) {

_tprintf(TEXT("usage: %s {path-name}\n"),argv[0]);

return -1;

}

if (enablepriv(SE_BACKUP_NAME) != TRUE)

return -1;

return recurse(argv[1]);

}

int recurse(TCHAR path[]) {

_tprintf(TEXT("DIR %s\\\n"),path);

TCHAR ppath[2048];

const size_t psz = 2048;

_tcscpy_s(ppath, psz, path);

_tcscat_s(ppath, psz, TEXT("\\*"));

WIN32_FIND_DATA fdata;

HANDLE hnd = FindFirstFile(ppath, &fdata);

if (hnd == INVALID_HANDLE_VALUE) {

_tprintf(TEXT("Can't access path %s, w32error %d\n"),path,GetLastError());

return -1;

}

do {

// skip '.' and '..'

if (_tcscmp(fdata.cFileName, TEXT(".")) == 0 || _tcscmp(fdata.cFileName,TEXT("..")) == 0)

continue;

if (fdata.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {

if (fdata.dwFileAttributes & FILE_ATTRIBUTE_REPARSE_POINT) {

// skip reparse points

}

else{

_tcscpy_s(ppath, psz, path);

_tcscat_s(ppath, psz, TEXT("\\"));

_tcscat_s(ppath, psz, fdata.cFileName);

if (recurse(ppath) != 0)

return -1;

}

else{

_tprintf(TEXT("FILE %s\\%s\n"),path, fdata.cFileName);

}

} while(FindNextFile(hnd, &fdata) != 0);

DWORD rc = GetLastError();

FindClose(hnd);

if (rc != ERROR_NO_MORE_FILES) {

_tprintf(TEXT("Error retrieving directory %s, w32error %d\n"),path,rc);

return -1;

}

return 0;

}

bool enablepriv(const TCHAR priv[]) {

HANDLE token;

if (!OpenThreadToken(GetCurrentThread(),TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, TRUE, &token))

OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &token);

if (token == 0) {

_tprintf(TEXT("Unable to retrieve token. w32error %d\n"), GetLastError());

return FALSE;

}

LUID mluid;

if (0 == LookupPrivilegeValue(0, priv, &mluid)) {

_tprintf(TEXT("Can't lookup privilege %s, w32error %d\n"), priv, GetLastError());

return FALSE;

}

TOKEN_PRIVILEGES tp;

tp.PrivilegeCount = 1;

tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

tp.Privileges[0].Luid = mluid;

if (0 == AdjustTokenPrivileges(token, FALSE, &tp, 0, 0, 0)) {

_tprintf(TEXT("Can't adjust privilege, w32error %d\n"), GetLastError());

return FALSE;

}

if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) {

_tprintf(TEXT("You lack the necessary privileges to set %s\n"), priv);

return FALSE;

}

return TRUE;

}

Any insight offered would be greatly appreciated.

---
Jim C.

Jim C

BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Mon, 13 Oct 2008 13:47:25 Z

Good morning Jim. I have alerted our Protocols Support team concerning your questions about [MS-SMB] and Vista SeBackupPrivilege. One of our team members will be in contact with you soon. Please note we may need to reroute your question to another internal team, as it might not be specific to the protocol documentation.

Thanks for your questions!

Escalation Engineer

BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Mon, 13 Oct 2008 16:20:02 Z

Good Morning Jim C.
My name is Obaid Farooqi and I would be helping you with this case.

Regards, Obaid Farooqi

BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Mon, 13 Oct 2008 16:56:52 Z

Sounds good Obaid. Let me know if I can provide further information.

Thanks
Jim C.

Jim C

BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Tue, 14 Oct 2008 17:32:44 Z

Hi Obaid.

Sorry to be a pest, but we've been working on this for quite some time, and we're now roadblocked.

Is there an update?

Jim C

BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Fri, 17 Oct 2008 23:06:29 Z

Good Afternoon Jim:
I am working on your problem. What exactly is the error you see on the Vista side when you run your program?

Regards, Obaid Farooqi

BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Sat, 18 Oct 2008 04:11:56 Z

(note, first map W2k3 share as h: drive)

C:\> SMBTest h:\t

DIR h:\t\
DIR h:\t\sub\
Can't access path h:\t\sub, w32error 5

Obaid, any chance I can get your email address?

Jim C

Jim C

BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Tue, 21 Oct 2008 00:25:52 Z

Good Afternoon Jim:
Looking at your code, I need info about a flag DF_NT_SMBS. Can you please send me the trace with negotiate command and response in it?

Regards, Obaid Farooqi

BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Tue, 21 Oct 2008 01:19:05 Z

Obaid,

I'd be happy to do as you ask, but I'm not sure what flag you're referring to. I don't use DT_NT_SMB in the code. Can you clarify what you mean?

Jim

Jim C

BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Tue, 21 Oct 2008 14:55:00 Z

Good Morning Jim:
I apologize for confusion. Please do not pay attention to the flag I mentioned. Please send me the trace with negotiate in it.

If you want to communicate through email there is a problem. Since this thread has public visibility, there may be people who are following this thread. Taking this thread private would be leaving other interested peoplebehind.

If you need to send me email (for something that you do not want to post or cannot post), you can send to dochelp@microsoft.com. Please mention the case number SRX081013600115 in the subject line.

Regards, Obaid Farooqi

BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Tue, 21 Oct 2008 22:54:14 Z

No problem.

I wasn't able to figure out how to post a trace using the forum, so I linked to it in my original article. For quick reference, here's the URL to download the full trace

http://www.carroll.com/images/smbcapture.cap

Jim

Jim C

BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Wed, 22 Oct 2008 16:58:16 Z

Good Morning Jim:
I looked at the trace but it does not have negotiate phase in it. Negotiate may happen earlier than running your program. It also may happen at the time you create the network drive. Here is how you can get a trace with negotiate in it.
1. Reboot your vista machine
2. start netmon.
3. create network drive
4. run your program.

Regards, Obaid Farooqi

BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Thu, 23 Oct 2008 14:09:59 Z

Got it.

You can download the trace from

http://www.carroll.com/images/Negotiate-HsvistaLab.cap

The trace was made from the server side of the conversation (a machine called AS10) using Microsoft Network Monitor 3.2.

For completeness, I all took a snapshot of "whoami /all" of the account AS10\Backups which was used to negotiate the session.

C:\>whoami /all

USER INFORMATION

----------------

User Name SID

============ ==============================================

as10\backups S-1-5-21-1948780959-2201808987-1963200826-1029

GROUP INFORMATION

-----------------

Group Name Type SID Attributes

================================ ================ ============ ===============================================================

Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group

BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group

BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group

BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group

BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner

NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group

LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group

PRIVILEGES INFORMATION

----------------------

Privilege Name Description State

=============================== ========================================= ========

SeChangeNotifyPrivilege Bypass traverse checking Enabled

SeBackupPrivilege Back up files and directories Disabled

SeRestorePrivilege Restore files and directories Disabled

SeShutdownPrivilege Shut down the system Disabled

SeSecurityPrivilege Manage auditing and security log Disabled

SeSystemtimePrivilege Change the system time Disabled

SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled

SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled

SeDebugPrivilege Debug programs Disabled

SeSystemEnvironmentPrivilege Modify firmware environment values Disabled

SeSystemProfilePrivilege Profile system performance Disabled

SeProfileSingleProcessPrivilege Profile single process Disabled

SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled

SeLoadDriverPrivilege Load and unload device drivers Disabled

SeCreatePagefilePrivilege Create a pagefile Disabled

SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled

SeUndockPrivilege Remove computer from docking station Disabled

SeManageVolumePrivilege Perform volume maintenance tasks Disabled

SeImpersonatePrivilege Impersonate a client after authentication Enabled

SeCreateGlobalPrivilege Create global objects Enabled

Jim C

BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Tue, 28 Oct 2008 19:41:42 Z

Good Afternoon Jim C.:
The second trace has negotiate but it is missing the error part. Please send a trace from the very beginning (negotiate) all the way to the point where error happens.
If you have difficulty posting a big trace, you can email me at dochelp@microsoft.com. Please mention case number SRX081013600115 in the subject line.

Regards, Obaid Farooqi

BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Wed, 29 Oct 2008 15:17:23 Z

Hi Obaid,

As requested, I performed the complete trace (from negotiate all the way through to the refused access), and sent it tou you via email.

Jim

Jim C

BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Wed, 05 Nov 2008 23:01:41 Z

Hi Jim:

As per our conversation over email, it appears that the solution delivered (hotfix) to you resolves the issue you are facing. This issue arises due to a Windows Vista bug . You documented the situation in which this bug manifests itself in excellent detail in your original posting. For the benefit of the community, I would like to clarify that the proper channel to get help on this problem is through Windows Support.

Thank you for bringing this issue to our attention.

Regards, Obaid Farooqi

BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Mon, 26 Jan 2009 18:15:39 Z

Hi Obaid,

This bug in Vista is causing problems with our customers as well. Can you please post information or send me an email directly on how to access this hotfix?

Thanks,

Brian

BUG: SeBackupPrivilege not honored by Vista when accessing SMB (version 1) shares

Mon, 26 Jan 2009 20:08:21 Z

For those who stumble across this thread in the future. The issue has been repaired by Microsoft. They've issued a HotFix which is discussed in Knowledge base article KB950790 (http://support.microsoft.com/kb/950790).

We've tested it successfully on ~1 billion files/folders in the lab and in the field. It has worked flawlessly for us.

Jim C