[Samba] explorer.exe and mmc.exe crashes on security tab access

Thu Aug 2 03:33:28 UTC 2018

Still not working as of Samba 4.8.3. I think MS broke something with one of the current Windows 10 updates personally. 

In my situation, this is a brand-new 4.8.3 install. For me the crashes happen when I try to edit the share folder permissions right out of the box from whatever Samba set in there by default. So, I tried blowing away all perms for the shares via command line on the Samba server, and low-and-behold I’m now able to use Windows to edit and set the perms.

Anyway since no one anywhere seems to have posted a fix for this, this is what worked for me:

Blow away all ACL’s and set a new fresh one that will give the Domain Admins group “Full Control” (in Windows terms), and full inheritance:

EXAMPLE:

smbcacls //yourserver/sharename / -U administrator%youradminpassword -S "ACL:<DOMAIN>\Domain Admins:ALLOWED/0x13/FULL"

..where <DOMAIN> is your domain – minus the brackets.

You should then be able to edit the share’s security as the YOURDOMAIN\administrator user.

Some background on smbcacls as follows:

The general command line is as follows:

smbcacls //server/sharename /path -U administrator%adminpassword <-S|-a> “ACL:<DOMAIN\username or groupname:ALLOWED|DENIED>/<FLAGS>/<MASK>

-S or -a: -S will blow away all ACL’s and add the one you specify. This is used if you want to start fresh. After you use -S, any subsequent ACL additions you will use the -a flag.

FLAGS: Special things such as whether or not Inheritance is set, whether that inheritance is propagated, etc. This field is poorly documented no matter where you look, especially the man page. In most cases you’ll want 0x13 in that field, which means Object Inheritance, (OI), Container Inheritance (CI), and what ever (I) is, because it’s not documented even at Microsoft’s ACE (what they call ACL’s) page.

MASK: see the man page under the “ACL FORMAT” section. What’s NOT in the man page however is that you can also specify special permissions. IE: If you use the “Set special permissions” on a file in Windows. Generally speaking however, the options you would use would be either READ, CHANGE, or FULL. READ THE MAN PAGE IF YOU DON’T UNDERSTAND THESE!

This example will ADD an ACL, giving Domain Users change access, and retain Inheritance.

                smbcacls //server/share /MyDir -U administrator%youradmiinpassword -a "ACL:YOURDOMAIN\Domain Users:ALLOWED/0x13/CHANGE"

smbcacls does not support recursive changes. So if you want to set permissions for all files in a tree, script it on the command line as in the example below.

                find yourdir -exec smbcacls //server/share /{} -U administrator%youradminpassword -S "ACL:YOURDOMAIN\Domain Admins:ALLOWED/0x13/FULL" \;

- ‘yourdir’ is the directory you want to change, including all files and subdirs below it.

- //server/share / is the root of the share that ‘yourdir’ is on. If ‘yourdir’ is below that level, you need to put that path. EG: //server/share /path/to/{} (note I didn’t include ‘yourdir’ in that. Just up to the dir yourdir is in).

On Fri, 23 Mar 2018 16:33:29 +0100
Renaud via samba <samba at lists.samba.org> wrote:

> Hi the list, 
> 
> I have updated to 4.8.0 after using 4.7.3
> root at samba:~# /usr/local/samba/sbin/samba -V
> Version 4.8.0
> 
> I compiled from source with the following options : 
> ./configure --enable-debug --enable-selftest 
> 

You don't need to add '--enable-debug --enable-selftest' to the
configure line, they are only needed if you want to run the tests or
the deprecated ntvfs.

This isn't your problem though, to put it bluntly, 4.8.0 is
probably borked, so you need to run the sambaundoguidindex script and
then go back to 4.7.x. Then wait until 4.8.1 comes out.

Rowland