Windows Explorer Remote ACL editing to Samba - works from Windows 10 but not Windows 8.1

Steve French smfrench at
Tue Nov 8 21:00:09 UTC 2016

Was experimenting with some ACL editing issues that our testers reported,
and ran into an interesting issue.

When you add an ACE for a remote user (ie a user on the Samba server) in
Windows Explorer's ACL editor (see e.g.

Our testers noticed (and I confirmed with e.g. Samba 4.5, on Fedora etc.)
that if you try to add an ACE for a user (in my case a user defined on the
remote system, ie Samba server) from Windows 8.1 it fails, but for Windows
10 it works.

Comparing wireshark traces:
1) netwkstagetinfo
2) getinfo on lsarpc
3) lsa_OpenPolicy2 (only on Windows 10)
4) lsa_LookupNames (only on Windows 10)
5) DsRoleGetPrimaryDomainInfo

Any idea why Samba doesn't act as expected for Windows 8.1 ACL editing to
work.   Also by the way, our testers found other versions (not just Windows
8.1) that failed - but most recent Windows (and IIRC Windows 7 as well)



More information about the samba-technical mailing list