STATUS_REPARSE and Access Denied

Hello,

Please help me for this problem.

Our filter driver was implemented to redirect open file requests to another
location based on the reparse point mechanism.
Here is the scenario to reproduce the problem symptom.
There is a file - c:\shareA\file1.txt on machineA that runs Windows XP.
Move the file - c:\shareA\file1.txt from machine A to
\machineB\shareB\file1.txt and create a reparse point as
c:\shareA\file1.txt on machine A.
The reparse point points to the file \machineB\shareB\file1.txt on machine
B that is another Windows XP machine.
Then map the directory shareA of machine A on a third machine C.
If I open the file \machineA\shareA\file1.txt from the machine C, an error
message - “Access Denied” is popped up on C.
My account is a member of domain administrator.
I can open the file c:\shareA\file1.txt that is a reparse point from machine
A, which actually opens the file on machine B by reparsing, without any
problem.

I don’t know what’s causing this “Access Denied” problem.
Your response is very important.

Thank you very much,

Shangwu

Shangwu,

You have an impersonation-level problem going from SRV on machine B to SRV on machine C. SRV on B sets the ImpersonationLevel in the
create thread’s security impersonation token to SecurityImpersonation, which is insufficient for going across the network to machine
C. You need the SRV on B to set ImpersonationLevel to SecurtityDelegation.

This article explains how you accomplish that:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod19.asp

Bruno Sartirana
Apogeo, Inc.
http://www.apogeo.com

-----Original Message-----
From: Shangwu [mailto:xxxxx@cox.net]
Sent: Friday, January 28, 2005 16:16
To: Windows File Systems Devs Interest List
Subject: [ntfsd] STATUS_REPARSE and Access Denied

Hello,

Please help me for this problem.

Our filter driver was implemented to redirect open file requests to another
location based on the reparse point mechanism.
Here is the scenario to reproduce the problem symptom.
There is a file - c:\shareA\file1.txt on machineA that runs Windows XP.
Move the file - c:\shareA\file1.txt from machine A to
\machineB\shareB\file1.txt and create a reparse point as
c:\shareA\file1.txt on machine A.
The reparse point points to the file \machineB\shareB\file1.txt on machine
B that is another Windows XP machine.
Then map the directory shareA of machine A on a third machine C.
If I open the file \machineA\shareA\file1.txt from the machine C, an error
message - “Access Denied” is popped up on C.
My account is a member of domain administrator.
I can open the file c:\shareA\file1.txt that is a reparse point from machine
A, which actually opens the file on machine B by reparsing, without any
problem.

I don’t know what’s causing this “Access Denied” problem.
Your response is very important.

Thank you very much,

Shangwu


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@apogeo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I messed up the names. You go C->A->B. Therefore, machine A should be using SecurityDelegation to correctly propagate requests from
its clients to B.

Bruno Sartirana
Apogeo, Inc.
http://www.apogeo.com

-----Original Message-----
From: Bruno Sartirana [mailto:xxxxx@apogeo.com]
Sent: Friday, January 28, 2005 17:34
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] STATUS_REPARSE and Access Denied

Shangwu,

You have an impersonation-level problem going from SRV on machine B to SRV on machine C. SRV on B sets the ImpersonationLevel in the
create thread’s security impersonation token to SecurityImpersonation, which is insufficient for going across the network to machine
C. You need the SRV on B to set ImpersonationLevel to SecurtityDelegation.

This article explains how you accomplish that:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod19.asp

Bruno Sartirana
Apogeo, Inc.
http://www.apogeo.com

-----Original Message-----
From: Shangwu [mailto:xxxxx@cox.net]
Sent: Friday, January 28, 2005 16:16
To: Windows File Systems Devs Interest List
Subject: [ntfsd] STATUS_REPARSE and Access Denied

Hello,

Please help me for this problem.

Our filter driver was implemented to redirect open file requests to another
location based on the reparse point mechanism.
Here is the scenario to reproduce the problem symptom.
There is a file - c:\shareA\file1.txt on machineA that runs Windows XP.
Move the file - c:\shareA\file1.txt from machine A to
\machineB\shareB\file1.txt and create a reparse point as
c:\shareA\file1.txt on machine A.
The reparse point points to the file \machineB\shareB\file1.txt on machine
B that is another Windows XP machine.
Then map the directory shareA of machine A on a third machine C.
If I open the file \machineA\shareA\file1.txt from the machine C, an error
message - “Access Denied” is popped up on C.
My account is a member of domain administrator.
I can open the file c:\shareA\file1.txt that is a reparse point from machine
A, which actually opens the file on machine B by reparsing, without any
problem.

I don’t know what’s causing this “Access Denied” problem.
Your response is very important.

Thank you very much,

Shangwu


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@apogeo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@apogeo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Bruno,

Thank you very much for this important information. Do you know which
Windows service is running LanmanServer (SRV) ?
I want to change the account of the service to another impersonated account.
But I cannot find the service from the service control panel.

Best regards,

Shangwu

“Bruno Sartirana” wrote in message news:xxxxx@ntfsd…
> Shangwu,
>
> You have an impersonation-level problem going from SRV on machine B to SRV
> on machine C. SRV on B sets the ImpersonationLevel in the
> create thread’s security impersonation token to SecurityImpersonation,
> which is insufficient for going across the network to machine
> C. You need the SRV on B to set ImpersonationLevel to SecurtityDelegation.
>
> This article explains how you accomplish that:
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod19.asp
>
>
> Bruno Sartirana
> Apogeo, Inc.
> http://www.apogeo.com
>
>
> -----Original Message-----
> From: Shangwu [mailto:xxxxx@cox.net]
> Sent: Friday, January 28, 2005 16:16
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] STATUS_REPARSE and Access Denied
>
> Hello,
>
> Please help me for this problem.
>
> Our filter driver was implemented to redirect open file requests to
> another
> location based on the reparse point mechanism.
> Here is the scenario to reproduce the problem symptom.
> There is a file - c:\shareA\file1.txt on machineA that runs Windows XP.
> Move the file - c:\shareA\file1.txt from machine A to
> \machineB\shareB\file1.txt and create a reparse point as
> c:\shareA\file1.txt on machine A.
> The reparse point points to the file \machineB\shareB\file1.txt on
> machine
> B that is another Windows XP machine.
> Then map the directory shareA of machine A on a third machine C.
> If I open the file \machineA\shareA\file1.txt from the machine C, an
> error
> message - “Access Denied” is popped up on C.
> My account is a member of domain administrator.
> I can open the file c:\shareA\file1.txt that is a reparse point from
> machine
> A, which actually opens the file on machine B by reparsing, without any
> problem.
>
> I don’t know what’s causing this “Access Denied” problem.
> Your response is very important.
>
> Thank you very much,
>
> Shangwu
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@apogeo.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

Shangwu,

You can’t do that. It’s a kernel driver. What you intend to do does not make sense. Try what I suggested and you’ll be fine.

Bruno Sartirana
Apogeo, Inc.
http://www.apogeo.com

-----Original Message-----
From: Shangwu [mailto:xxxxx@cox.net]
Sent: Saturday, January 29, 2005 7:58
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] STATUS_REPARSE and Access Denied

Bruno,

Thank you very much for this important information. Do you know which
Windows service is running LanmanServer (SRV) ?
I want to change the account of the service to another impersonated account.
But I cannot find the service from the service control panel.

Best regards,

Shangwu

“Bruno Sartirana” wrote in message news:xxxxx@ntfsd…
> Shangwu,
>
> You have an impersonation-level problem going from SRV on machine B to SRV
> on machine C. SRV on B sets the ImpersonationLevel in the
> create thread’s security impersonation token to SecurityImpersonation,
> which is insufficient for going across the network to machine
> C. You need the SRV on B to set ImpersonationLevel to SecurtityDelegation.
>
> This article explains how you accomplish that:
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod19.asp
>
>
> Bruno Sartirana
> Apogeo, Inc.
> http://www.apogeo.com
>
>
> -----Original Message-----
> From: Shangwu [mailto:xxxxx@cox.net]
> Sent: Friday, January 28, 2005 16:16
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] STATUS_REPARSE and Access Denied
>
> Hello,
>
> Please help me for this problem.
>
> Our filter driver was implemented to redirect open file requests to
> another
> location based on the reparse point mechanism.
> Here is the scenario to reproduce the problem symptom.
> There is a file - c:\shareA\file1.txt on machineA that runs Windows XP.
> Move the file - c:\shareA\file1.txt from machine A to
> \machineB\shareB\file1.txt and create a reparse point as
> c:\shareA\file1.txt on machine A.
> The reparse point points to the file \machineB\shareB\file1.txt on
> machine
> B that is another Windows XP machine.
> Then map the directory shareA of machine A on a third machine C.
> If I open the file \machineA\shareA\file1.txt from the machine C, an
> error
> message - “Access Denied” is popped up on C.
> My account is a member of domain administrator.
> I can open the file c:\shareA\file1.txt that is a reparse point from
> machine
> A, which actually opens the file on machine B by reparsing, without any
> problem.
>
> I don’t know what’s causing this “Access Denied” problem.
> Your response is very important.
>
> Thank you very much,
>
> Shangwu
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@apogeo.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@apogeo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

SRV.SYS which is a real SMB server is yes, a kernel driver. It talks raw
TDI (no sockets) to protocols and special FastIoMdlXxx to FSDs.

Nevertheless, there is also SRVSVC.DLL in user mode, which is “LanmanServer
service” and whose purpose is to provide the RPC facilities to manage the share
lists and so on.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Bruno Sartirana”
To: “Windows File Systems Devs Interest List”
Sent: Saturday, January 29, 2005 9:32 PM
Subject: RE: [ntfsd] STATUS_REPARSE and Access Denied

> Shangwu,
>
> You can’t do that. It’s a kernel driver. What you intend to do does not make
sense. Try what I suggested and you’ll be fine.
>
> Bruno Sartirana
> Apogeo, Inc.
> http://www.apogeo.com
>
> -----Original Message-----
> From: Shangwu [mailto:xxxxx@cox.net]
> Sent: Saturday, January 29, 2005 7:58
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] STATUS_REPARSE and Access Denied
>
> Bruno,
>
> Thank you very much for this important information. Do you know which
> Windows service is running LanmanServer (SRV) ?
> I want to change the account of the service to another impersonated account.
> But I cannot find the service from the service control panel.
>
> Best regards,
>
> Shangwu
>
> “Bruno Sartirana” wrote in message news:xxxxx@ntfsd…
> > Shangwu,
> >
> > You have an impersonation-level problem going from SRV on machine B to SRV
> > on machine C. SRV on B sets the ImpersonationLevel in the
> > create thread’s security impersonation token to SecurityImpersonation,
> > which is insufficient for going across the network to machine
> > C. You need the SRV on B to set ImpersonationLevel to SecurtityDelegation.
> >
> > This article explains how you accomplish that:
> >
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod19.asp
> >
> >
> > Bruno Sartirana
> > Apogeo, Inc.
> > http://www.apogeo.com
> >
> >
> > -----Original Message-----
> > From: Shangwu [mailto:xxxxx@cox.net]
> > Sent: Friday, January 28, 2005 16:16
> > To: Windows File Systems Devs Interest List
> > Subject: [ntfsd] STATUS_REPARSE and Access Denied
> >
> > Hello,
> >
> > Please help me for this problem.
> >
> > Our filter driver was implemented to redirect open file requests to
> > another
> > location based on the reparse point mechanism.
> > Here is the scenario to reproduce the problem symptom.
> > There is a file - c:\shareA\file1.txt on machineA that runs Windows XP.
> > Move the file - c:\shareA\file1.txt from machine A to
> > \machineB\shareB\file1.txt and create a reparse point as
> > c:\shareA\file1.txt on machine A.
> > The reparse point points to the file \machineB\shareB\file1.txt on
> > machine
> > B that is another Windows XP machine.
> > Then map the directory shareA of machine A on a third machine C.
> > If I open the file \machineA\shareA\file1.txt from the machine C, an
> > error
> > message - “Access Denied” is popped up on C.
> > My account is a member of domain administrator.
> > I can open the file c:\shareA\file1.txt that is a reparse point from
> > machine
> > A, which actually opens the file on machine B by reparsing, without any
> > problem.
> >
> > I don’t know what’s causing this “Access Denied” problem.
> > Your response is very important.
> >
> > Thank you very much,
> >
> > Shangwu
> >
> >
> >
> > —
> > Questions? First check the IFS FAQ at
> > https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: xxxxx@apogeo.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@apogeo.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Bruno,

It works. Thank you again.

Shangwu

“Bruno Sartirana” wrote in message news:xxxxx@ntfsd…
> Shangwu,
>
> You can’t do that. It’s a kernel driver. What you intend to do does not
> make sense. Try what I suggested and you’ll be fine.
>
> Bruno Sartirana
> Apogeo, Inc.
> http://www.apogeo.com
>
> -----Original Message-----
> From: Shangwu [mailto:xxxxx@cox.net]
> Sent: Saturday, January 29, 2005 7:58
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] STATUS_REPARSE and Access Denied
>
> Bruno,
>
> Thank you very much for this important information. Do you know which
> Windows service is running LanmanServer (SRV) ?
> I want to change the account of the service to another impersonated
> account.
> But I cannot find the service from the service control panel.
>
> Best regards,
>
> Shangwu
>
> “Bruno Sartirana” wrote in message news:xxxxx@ntfsd…
>> Shangwu,
>>
>> You have an impersonation-level problem going from SRV on machine B to
>> SRV
>> on machine C. SRV on B sets the ImpersonationLevel in the
>> create thread’s security impersonation token to SecurityImpersonation,
>> which is insufficient for going across the network to machine
>> C. You need the SRV on B to set ImpersonationLevel to
>> SecurtityDelegation.
>>
>> This article explains how you accomplish that:
>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod19.asp
>>
>>
>> Bruno Sartirana
>> Apogeo, Inc.
>> http://www.apogeo.com
>>
>>
>> -----Original Message-----
>> From: Shangwu [mailto:xxxxx@cox.net]
>> Sent: Friday, January 28, 2005 16:16
>> To: Windows File Systems Devs Interest List
>> Subject: [ntfsd] STATUS_REPARSE and Access Denied
>>
>> Hello,
>>
>> Please help me for this problem.
>>
>> Our filter driver was implemented to redirect open file requests to
>> another
>> location based on the reparse point mechanism.
>> Here is the scenario to reproduce the problem symptom.
>> There is a file - c:\shareA\file1.txt on machineA that runs Windows XP.
>> Move the file - c:\shareA\file1.txt from machine A to
>> \machineB\shareB\file1.txt and create a reparse point as
>> c:\shareA\file1.txt on machine A.
>> The reparse point points to the file \machineB\shareB\file1.txt on
>> machine
>> B that is another Windows XP machine.
>> Then map the directory shareA of machine A on a third machine C.
>> If I open the file \machineA\shareA\file1.txt from the machine C, an
>> error
>> message - “Access Denied” is popped up on C.
>> My account is a member of domain administrator.
>> I can open the file c:\shareA\file1.txt that is a reparse point from
>> machine
>> A, which actually opens the file on machine B by reparsing, without any
>> problem.
>>
>> I don’t know what’s causing this “Access Denied” problem.
>> Your response is very important.
>>
>> Thank you very much,
>>
>> Shangwu
>>
>>
>>
>> —
>> Questions? First check the IFS FAQ at
>> https://www.osronline.com/article.cfm?id=17
>>
>> You are currently subscribed to ntfsd as: xxxxx@apogeo.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@apogeo.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>