[Samba] explorer.exe crashes on security tab access

Glenn Bergeron glenn at gbitservices.ca
Fri Aug 17 13:56:32 UTC 2018 

This is a long-standing issue going back at least a year from what I can see in mailing list archives.

Still not working as of Samba 4.8.3. I think MS broke something with one of the Windows 10 updates.
 
In my situation, this is a brand-new 4.8.3 install. For me the crashes happen when I try to edit the share folder permissions right out of the box from whatever Samba set in there by default. So, I tried blowing away all perms for the shares via command line on the Samba server, and low-and-behold I’m now able to use Windows to edit and set the perms.
 
Anyway since no one anywhere seems to have posted a fix for this, (well, that I could find at least), this is what worked for me:
 
Blow away all ACL’s and set a new fresh one that will give the Domain Admins group “Full Control” (in Windows terms), and full inheritance:
 
EXAMPLE:
 
smbcacls //yourserver/sharename / -U administrator%youradminpassword -S "ACL:<DOMAIN>\Domain Admins:ALLOWED/0x13/FULL"
 
..where <DOMAIN> is your domain – minus the brackets.
 
You should then be able to edit the share’s security as the YOURDOMAIN\administrator user.
 
Some background on smbcacls as follows:
 
The general command line is as follows:
 
smbcacls //server/sharename /path -U administrator%adminpassword <-S|-a> “ACL:<DOMAIN\username or groupname:ALLOWED|DENIED>/<FLAGS>/<MASK>
 
-S or -a: -S will blow away all ACL’s and add the one you specify. This is used if you want to start fresh. After you use -S, any subsequent ACL additions you will use the -a flag.
 
FLAGS: Special things such as whether or not Inheritance is set, whether that inheritance is propagated, etc. This field is poorly documented no matter where you look, especially the man page. In most cases you’ll want 0x13 in that field, which means Object Inheritance, (OI), Container Inheritance (CI), and what ever (I) is, because it’s not documented even at Microsoft’s ACE (what they call ACL’s) page.
 
MASK: see the man page under the “ACL FORMAT” section. What’s NOT in the man page however is that you can also specify special permissions. IE: If you use the “Set special permissions” on a file in Windows. Generally speaking however, the options you would use would be either READ, CHANGE, or FULL. READ THE MAN PAGE IF YOU DON’T UNDERSTAND THESE!
 
This example will ADD an ACL, giving Domain Users change access, and retain Inheritance.
 
                smbcacls //server/share /MyDir -U administrator%youradmiinpassword -a "ACL:YOURDOMAIN\Domain Users:ALLOWED/0x13/CHANGE"
 
smbcacls does not support recursive changes. So if you want to set permissions for all files in a tree, script it on the command line as in the example below.
 
                find yourdir -exec smbcacls //server/share /{} -U administrator%youradminpassword -S "ACL:YOURDOMAIN\Domain Admins:ALLOWED/0x13/FULL" \;
 
- ‘yourdir’ is the directory you want to change, including all files and subdirs below it.
- //server/share / is the root of the share that ‘yourdir’ is on. If ‘yourdir’ is below that level, you need to put that path. EG: //server/share /path/to/{} (note I didn’t include ‘yourdir’ in that. Just up to the dir yourdir is in).


-Glenn



On 2018-08-17, 4:45 AM, "Kacper" <kacper at kacper.se> wrote:

    Clearly this is some kind of bug. Can you submit a bug report or should I?
    
    Also can you elaborate why it's bad practice to create files/folders as a
    local Unix user/group on a Samba DC?
    
    On Thu, Aug 16, 2018 at 9:50 PM, Rowland Penny via samba <
    samba at lists.samba.org> wrote:
    
    > On Thu, 16 Aug 2018 21:20:29 +0200
    > Kacper <kacper at kacper.se> wrote:
    >
    > > The same thing happen if the group on a file is wheel or any other
    > > unix group. I also now observed that this also happens to unix users
    > > that are not mapped in idmap.ldb.
    > >
    > > For example:
    > > # useradd myunixuser
    > > # touch myfile
    > > # chown myunixuser myfile
    > > # chgrp SAMDOM\sambauser myfile
    > >
    > > alos crashes explorer.
    > >
    >
    > First and foremost, you shouldn't be creating files/folders in a Samba
    > share directory as a local Unix user/group on a Samba Unix domain member
    > or DC.
    >
    > Having said this, it shouldn't crash Explorer on Windows, but it does,
    > tested on win7 and win10
    >
    > --
    > To unsubscribe from this list go to the following URL and read the
    > instructions:  https://lists.samba.org/mailman/options/samba
    >

More information about the samba mailing list