renaud.rolles+samba at giraudbtp.com
2018-Mar-23 15:33 UTC
[Samba] explorer.exe and mmc.exe crashes on security tab access
Hi the list,
I have updated to 4.8.0 after using 4.7.3
root at samba:~# /usr/local/samba/sbin/samba -V
Version 4.8.0
I compiled from source with the following options :
./configure --enable-debug --enable-selftest
Samba run apparently normaly, but when i try to edit permission via windows,
explorer.exe crashes
I dont get anything relevant from samba's log.
But I get an error from windows :
1 - When I try from explorer (right clic, properties, security tab)
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-03-23T13:14:20.295605000Z" />
<EventRecordID>17061</EventRecordID>
<Channel>Application</Channel>
<Computer>DESKTOP-xxxEUDC.OBFUSCATEDDOMAIN</Computer>
<Security />
</System>
- <EventData>
<Data>explorer.exe</Data>
<Data>10.0.16299.248</Data>
<Data>18ee648b</Data>
<Data>ntdll.dll</Data>
<Data>10.0.16299.248</Data>
<Data>effc9126</Data>
<Data>c0000374</Data>
<Data>00000000000f87bb</Data>
<Data>25d0</Data>
<Data>01d3c2a4fd11124c</Data>
<Data>C:\WINDOWS\explorer.exe</Data>
<Data>C:\WINDOWS\SYSTEM32\ntdll.dll</Data>
<Data>8ea5ec30-9ffd-42d4-ac6f-4f87b9d34dae</Data>
<Data />
<Data />
</EventData>
</Event>
2- With mmc.exe , i get 2 error the first one after connecting to the DC and
cliking on SystemTools is a localized error message saying :
Numéro de procédure hors de l'interval admis (1745)
This message raise an error :
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-DistributedCOM"
Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}"
EventSourceName="DCOM" />
<EventID Qualifiers="0">10028</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2018-03-23T14:44:00.810939600Z" />
<EventRecordID>7352</EventRecordID>
<Correlation />
<Execution ProcessID="1000" ThreadID="7552" />
<Channel>System</Channel>
<Computer>DESKTOP-xxxEUDC.OBFUSCATEDDOMAIN </Computer>
<Security UserID="S-1-5-21-3281440387-2505246459-1686896579-1143"
/>
</System>
- <EventData>
<Data Name="param1">SAMBA</Data>
<Data Name="param2">2040</Data>
<Data Name="param3">C:\WINDOWS\system32\mmc.exe</Data>
<Data
Name="param4">{03837521-098B-11D8-9414-505054503030}</Data>
<Binary>3C5265636F726423313A20436F6D70757465723D286E756C6C293B5069643D313030
303B332F32332F323031382031343A34343A303A3831303B5374617475733D313735333B4765
6E636F6D703D323B4465746C6F633D3530313B466C6167733D303B506172616D733D343B7B50
6172616D23303A6E6361636E5F69705F7463707D7B506172616D23313A53414D42417D7B5061
72616D23323A2D313731313437323935367D7B506172616D23333A3338323331323636327D3E
</Binary>
</EventData>
</Event>
Then right clic on on share and going to the security tab crashes mmc.exe
with the error
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-03-23T14:09:16.398231500Z" />
<EventRecordID>17073</EventRecordID>
<Channel>Application</Channel>
<Computer>DESKTOP-xxxEUDC.OBFUSCATEDDOMAIN </Computer>
<Security />
</System>
- <EventData>
<Data>mmc.exe</Data>
<Data>10.0.16299.248</Data>
<Data>06312878</Data>
<Data>ntdll.dll</Data>
<Data>10.0.16299.248</Data>
<Data>effc9126</Data>
<Data>c0000409</Data>
<Data>0000000000090d9f</Data>
<Data>19d0</Data>
<Data>01d3c2b05d0516aa</Data>
<Data>C:\WINDOWS\system32\mmc.exe</Data>
<Data>C:\WINDOWS\SYSTEM32\ntdll.dll</Data>
<Data>ccf7895e-f49e-44e7-aab7-633f6db2a69a</Data>
<Data />
<Data />
</EventData>
</Event>
But some share are fine, I can go in and modify permissions from windows.
Here is my running config :
root at samba:~# /usr/local/samba/bin/samba-tool testparm
Press enter to see a dump of your service definitions
# Global parameters
[global]
cups server = 10.0.0.3
dns forwarder = 10.0.0.2
log level = 0
max log size = 5000
netbios name = SAMBA
realm = OBFUSCATEDDOMAIN
server role = active directory domain controller
server signing = required
workgroup = FUUBAR
full_audit:priority = notice
full_audit:facility = local5
full_audit:success = mkdir rmdir sendfile rename unlink chmod chown
symlink readlink link mknod write
full_audit:failure = connect
full_audit:prefix = %u|%I|%S
rpc_daemon:spoolssd = fork
rpc_server:spoolss = external
cups options = raw
hide files = /Thumbs.db/
veto files = /lost+found/
[netlogon]
path = /usr/local/samba/var/locks/sysvol/OBFUSCATEDDOMAIN/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[Partages]
path = /mnt/Partage
read only = No
vfs objects = full_audit
[Photos]
path = /mnt/Photos
read only = No
vfs objects = full_audit
[App1]
path = /mnt/App1
read only = No
[App2]
path = /mnt/App2
read only = No
[App3]
path = /mnt/App3
read only = No
vfs objects = full_audit
[Scan]
path = /mnt/Scan
read only = No
[Informatique]
path = /mnt/Informatique
read only = No
[printers]
browseable = No
comment = Toute les imprimantes
path = /usr/local/samba/var/spool
printable = Yes
read only = No
[print$]
comment = Point and Print Printer Drivers
path = /usr/local/samba/var/print
read only = No
I can change perm in [informatique] but not in [App3].
Here are the files acl and perm :
ls -lah /mnt/
total 68K
drwxr-xr-x 12 root root 4.0K Mar 19 12:57 .
drwxr-xr-x 21 root root 4.0K Mar 19 12:57 ..
drwxrwx---+ 5 root root 4.0K Mar 21 12:05 Informatique
drwx------ 12 500 513 4.0K Sep 16 2015 App1
drwxr-xr-x 3 root root 4.0K Jul 23 2014 Logiciels
drwxrwx---+ 4 root TLS\domain admins 4.0K Feb 28 16:57 App3
drwxr-xr-x 2 root root 4.0K Aug 2 2017 Mail
drwxrwxr-x+ 12 root root 4.0K Mar 16 14:55 Partage
drwxrwx--x+ 14 root 503 4.0K Feb 16 13:50 Photos
drwxrwx---+ 17 root root 4.0K Jan 9 09:36 Scan
drwxr-xr-x 3 root root 4.0K May 20 2014 App2
Tried to set group for Domain Admins instead of root in App3
Was previously root:root
getfacl /mnt/Informatique/
getfacl: Removing leading '/' from absolute path names
# file: mnt/Informatique/
# owner: root
# group: root
user::rwx
user:root:rwx
user:3000003:rwx
user:3000008:rwx
group::---
group:root:---
group:NT\040AUTHORITY\134authenticated\040users:rwx
group:TLS\134domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000003:rwx
default:user:3000008:rwx
default:group::---
default:group:root:---
default:group:NT\040AUTHORITY\134authenticated\040users:rwx
default:group:TLS\134domain\040admins:rwx
default:mask::rwx
default:other::---
getfacl /mnt/App3/
getfacl: Removing leading '/' from absolute path names
# file: mnt/App3/
# owner: root
# group: TLS\134domain\040admins
user::rwx
user:root:rwx
user:3000003:rwx
user:3000008:rwx
group::---
group:root:---
group:NT\040AUTHORITY\134authenticated\040users:rwx
group:TLS\134domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000003:rwx
default:user:3000008:rwx
default:group::---
default:group:root:---
default:group:NT\040AUTHORITY\134authenticated\040users:rwx
default:group:TLS\134domain\040admins:rwx
default:mask::rwx
default:other::---
root at samba:~# getfattr /mnt/Informatique/
root at samba:~# getfattr /mnt/App3/
Are both empty
Any hint, on what I have done and how to fix it ?
Thank You
Renaud ROLLES
Rowland Penny
2018-Mar-23 16:41 UTC
[Samba] explorer.exe and mmc.exe crashes on security tab access
On Fri, 23 Mar 2018 16:33:29 +0100 Renaud via samba <samba at lists.samba.org> wrote:> Hi the list, > > I have updated to 4.8.0 after using 4.7.3 > root at samba:~# /usr/local/samba/sbin/samba -V > Version 4.8.0 > > I compiled from source with the following options : > ./configure --enable-debug --enable-selftest >You don't need to add '--enable-debug --enable-selftest' to the configure line, they are only needed if you want to run the tests or the deprecated ntvfs. This isn't your problem though, to put it bluntly, 4.8.0 is probably borked, so you need to run the sambaundoguidindex script and then go back to 4.7.x. Then wait until 4.8.1 comes out. Rowland
renaud.rolles+samba at giraudbtp.com
2018-Mar-30 09:08 UTC
[Samba] explorer.exe and mmc.exe crashes on security tab access
root at samba:~/samba-4.8.0/source4/scripting/bin# ./sambaundoguididx
Traceback (most recent call last):
File "./sambaundoguididx", line 54, in <module>
samdb.modify(modmsg)
_ldb.LdbError: (32, 'ldb_wait from (null) with LDB_WAIT_ALL: No such object
(32)')
A transaction is still active in ldb context [0x57302778] on
tdb:///var/lib/samba/private/sam.ldb
I Tried restart the server, did nothing.
I there a way to see what process (transaction) lock the db ?
Still in 4.8 ATM.
Renaud
> This isn't your problem though, to put it bluntly, 4.8.0 is
> probably borked, so you need to run the sambaundoguidindex script and
> then go back to 4.7.x. Then wait until 4.8.1 comes out.
> Rowland
Glenn Bergeron
2018-Aug-02 03:33 UTC
[Samba] explorer.exe and mmc.exe crashes on security tab access
Still not working as of Samba 4.8.3. I think MS broke something with one of the
current Windows 10 updates personally.
In my situation, this is a brand-new 4.8.3 install. For me the crashes happen
when I try to edit the share folder permissions right out of the box from
whatever Samba set in there by default. So, I tried blowing away all perms for
the shares via command line on the Samba server, and low-and-behold I’m now able
to use Windows to edit and set the perms.
Anyway since no one anywhere seems to have posted a fix for this, this is what
worked for me:
Blow away all ACL’s and set a new fresh one that will give the Domain Admins
group “Full Control” (in Windows terms), and full inheritance:
EXAMPLE:
smbcacls //yourserver/sharename / -U administrator%youradminpassword -S
"ACL:<DOMAIN>\Domain Admins:ALLOWED/0x13/FULL"
..where <DOMAIN> is your domain – minus the brackets.
You should then be able to edit the share’s security as the
YOURDOMAIN\administrator user.
Some background on smbcacls as follows:
The general command line is as follows:
smbcacls //server/sharename /path -U administrator%adminpassword <-S|-a>
“ACL:<DOMAIN\username or
groupname:ALLOWED|DENIED>/<FLAGS>/<MASK>
-S or -a: -S will blow away all ACL’s and add the one you specify. This is used
if you want to start fresh. After you use -S, any subsequent ACL additions you
will use the -a flag.
FLAGS: Special things such as whether or not Inheritance is set, whether that
inheritance is propagated, etc. This field is poorly documented no matter where
you look, especially the man page. In most cases you’ll want 0x13 in that field,
which means Object Inheritance, (OI), Container Inheritance (CI), and what ever
(I) is, because it’s not documented even at Microsoft’s ACE (what they call
ACL’s) page.
MASK: see the man page under the “ACL FORMAT” section. What’s NOT in the man
page however is that you can also specify special permissions. IE: If you use
the “Set special permissions” on a file in Windows. Generally speaking however,
the options you would use would be either READ, CHANGE, or FULL. READ THE MAN
PAGE IF YOU DON’T UNDERSTAND THESE!
This example will ADD an ACL, giving Domain Users change access, and retain
Inheritance.
smbcacls //server/share /MyDir -U
administrator%youradmiinpassword -a "ACL:YOURDOMAIN\Domain
Users:ALLOWED/0x13/CHANGE"
smbcacls does not support recursive changes. So if you want to set permissions
for all files in a tree, script it on the command line as in the example below.
find yourdir -exec smbcacls //server/share /{} -U
administrator%youradminpassword -S "ACL:YOURDOMAIN\Domain
Admins:ALLOWED/0x13/FULL" \;
- ‘yourdir’ is the directory you want to change, including all files and subdirs
below it.
- //server/share / is the root of the share that ‘yourdir’ is on. If ‘yourdir’
is below that level, you need to put that path. EG: //server/share /path/to/{}
(note I didn’t include ‘yourdir’ in that. Just up to the dir yourdir is in).
On Fri, 23 Mar 2018 16:33:29 +0100
Renaud via samba <samba at lists.samba.org> wrote:
> Hi the list,
>
> I have updated to 4.8.0 after using 4.7.3
> root at samba:~# /usr/local/samba/sbin/samba -V
> Version 4.8.0
>
> I compiled from source with the following options :
> ./configure --enable-debug --enable-selftest
>
You don't need to add '--enable-debug --enable-selftest' to the
configure line, they are only needed if you want to run the tests or
the deprecated ntvfs.
This isn't your problem though, to put it bluntly, 4.8.0 is
probably borked, so you need to run the sambaundoguidindex script and
then go back to 4.7.x. Then wait until 4.8.1 comes out.
Rowland