[Samba] Issues launching files from a Command Prompt

Toby Ovod-Everett toby at ovod-everett.org
Tue Jul 23 18:47:16 MDT 2013

Ever since upgrading from Fedora 17 to Fedora 19, which included moving from
Samba 3.* to 4.*, I've had issues opening files from a Windows Command Prompt.

I can open files fine from an Explorer window, but if I drop down to a Command
Prompt and type a file name, that no longer opens the file.  I've done some
poking around and discovered that if I set the execute bit on the files, then
everything works.  That said, I'd rather not set the execute bit on entire
swaths of directory trees, and this didn't seem to be an issue under Samba 3.

I used Procmon.exe to confirm that cmd.exe is definitely requesting
Execute/Traverse on the file and that the response is failing.  This behavior
also has interesting impacts on *.BAT files.  If I don't set the execute bit
(and I'd rather not, since I don't want Unix attempting to execute those
files), I can't launch *.BAT files from Explorer because Explorer checks
Execute/Traverse permissions.  I can, however, run the *.BAT file from a
Command Prompt, because it doesn't check Execute/Traverse!

So basically Windows does inconsistent things with the access permissions it
requests when opening files from a Command Prompt vs. Explorer.

Once again, I didn't have these issues until I migrated from 3.* to 4.*.  In
general, the Windows world generally grants Execute whenever it grants Read
and leaves it up to file extensions to control what runs.  I'd prefer not to
have to mess with the execute bit on the Unix side if I can - my preference is
for that bit to be reserved for controlling whether Unix considers the file to
be executable or not.

I've poked around, but I can't seem to find any setting in smb.conf that lets
me control the mapping from Unix permissions bits to Windows ACLs.  I'd really
like some sort of setting that allows me to say, "whenever you see the read
bit turned on, map that to "Read and Execute".  It's not so much how the ACLs
display in Windows that matters, since I've tried using "nt acl support = no"
and the underlying request still gets denied.  It's how Samba responds to the
desired access mask.


* Server is running Fedora 19 x86_64 w/ samba-4.0.7-1.fc19.x86_64
* Client is running Windows 7 x64 SP1

Interesting sections from smb.conf:

        map archive = no
        map hidden = no
        map read only = no
        map system = no
        store dos attributes = yes
        unix extensions = no

        comment = Home Directories
        browseable = no
        writable = yes
        hide files = /Thumbs.db*/desktop.ini/$RECYCLE.BIN/
        create mask = 0675
        directory mask = 0775
        wide links = yes

--Toby Ovod-Everett

More information about the samba mailing list