[Samba] IE9 download manager and Samba share

The Ranger ranger at risk.ee
Thu Aug 25 03:44:38 MDT 2011


I have set up a Windows 2008 R2 domain controller and Samba file server 
(2:3.5.8) acting as a domain member (security = ads). Kerberos is 
working fine, access to user's directory on Samba server and saving 
files to mapped drive is OK.

But when I try to download something using IE9, the download manager 
cannot save any file to the network share. Does not matter if the user 
belongs to "Domain Admin" or "Domain Users" security group.

The problem looks exactly the same as described by Microsoft:


Download dialog disappears, then reappears again. And when clicking 
save, finally dismisses but only .partial file is saved to Samba share.

Microsoft says it's something to do with the permissions being set as 
"Change" not "Full Control" and they have supplied the patch for this 

The patch in my case is installed and I have tested the permission setup 
against the Win2008 domain controller. Everything is working fine. All 
users can download to a share even if they do not have the "Full 
Control" permission in that directory.

With Samba it went interesting: when launching IE9 as administrator 
(left click on icon, "Run as administrator") the download worked. The 
file was saved to the Samba share. It worked with whatever user was 
logged in to the workstation. Even when logging on locally and then 
accessing Samba as some domain user it was possible to complete the 
download as long as IE9 was running under administrator.

The only user who could save to Samba share directly was the domain 
administrator (DOMAIN\Administrator).

I used the vfs objects = full_audit to capture the VFS activity:

	http://files.risk.ee/smb_fail.txt (running as regular user)
	http://files.risk.ee/smb_success.txt (when running as admin)

Also tested with "smbd -d4":

	http://files.risk.ee/smbd_test_fail.txt (regular user)
	http://files.risk.ee/smbd_test_success.txt (admin)

I noticed that when failing the smbd was not happy about the buffer:


But unfortunately I'm more a Samba user than a developer therefore I 
cannot make any big conclusions about the logs.

And my conf is here (Ubuntu default with my changes):



More information about the samba mailing list