A new command called "sectrace" can help debug security problems (e.g. user cannot chown a file with NT ACL).
sectrace add -a -path /vol/software
will produce meesages such as these:
Sun Feb 1 13:10:52 IST [jim: sectrace.filter.allowed:info]: [sectrace index: 2] Access allowed because 'Synchronize, Read Attributes' permission (0x100080) is granted on file or directory (Access allowed by an explicit access control entry) - Status: 1:58720452:0:0 - 10.1.20.107 - NT user name: support\administrator - UNIX user name: root(0) - Qtree security style is NTFS and NT ACL is set on file/directory - Path: /vol/software/
Typically there is no need to use -a since you only want to debug DENY replies.
No comments:
Post a Comment