samba - Aug 2018 - explorer.exe crashes on security tab access

The OS is Windows 7 Enterprise (build 7601, SP1). Samba version 4.8.3,
compiled on Centos 7.4.

smb.conf:
# Global parameters
[global]
        dns forwarder = none
        log level = 1
        netbios name = DC1
        realm = SAMDOM.TEST
        server role = active directory domain controller
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes

[netlogon]
path = /usr/local/samba/var/locks/sysvol/samdom.test/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[Demo]
      path = /srv/samba/Demo
        read only = No
        create mask = 0666
        directory mask = 0777
        inherit permissions = Yes
        inherit acls = Yes
        browsable = Yes

The shared directory looks like this:
[root at dc1 Demo]# ls -la /srv/samba/Demo
total 0
drwxr-xr-x. 2 root root 31 Aug 16 19:54 .
drwxr-xr-x. 3 root root 18 Aug 16 19:49 ..
-rw-r--r--. 1 root root  0 Aug 16 19:54 alpha
-rw-r--r--. 1 root root  0 Aug 16 19:54 beta

getfacl returns:
[root at dc1 Demo]# getfacl /srv/samba/Demo/alpha
# file: alpha
# owner: root
# group: root
user::rw-
group::r--
other::r--

The crash only happens when a local unix group (in this case root) is set
as the group for the shared file.

/ Kacper


>>  By primary group I mean the group that is set by chgrp. that is the
>>  group returned after the pound key (#) from getfacl. In other words
>>  the Unix group and not the one managed by ACLs.
>>
>>> That is not necessarily the users primary group, the users primary
>>>  group is the one displayed by 'getent passwd username'
e.g.
>>>
>>>  root at dc4:~# getent passwd SAMDOM\\rowland
>>>  SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>>>
>>>  The second number is the users primary group, in this case
'10000',
>>>  which is:
>>>
>>>  root at dc4:~# getent group 10000
>>>  SAMDOM\domain users:x:10000:
>>>
>>>  But if I create a file in a share and ensure it belongs to the
user
>>>  with a group that isn't the users primary group (which seems
to be what
>>>  you are describing), I get:
>>>
>>>  root at dc4:~# ls -la /srv/samba/Demo/test.txt
>>>  -rw-rwxr--+ 1 SAMDOM\rowland SAMDOM\unixgroup 0 Aug 16 11:29
/srv/samba/Demo/test.txt
>>>
>>>  And getfacl shows:
>>>
>>>  root at dc4:~# getfacl /srv/samba/Demo/test.txt
>>>  getfacl: Removing leading '/' from absolute path names
>>>  # file: srv/samba/Demo/test.txt
>>>  # owner: SAMDOM\134rowland
>>>  # group: SAMDOM\134unixgroup
>>>  user::rw-
>>>  user:root:rw-
>>>  user:SAMDOM\134rowland:rw-
>>>  group::r--
>>>  group:SAMDOM\134unixgroup:r--
>>>  group:SAMDOM\134unix\040admins:rw-
>>>  mask::rwx
>>>  other::r--
>>>
>>>  If I now go to a Win7 machine, log in as 'rowland', open
explorer and
>>>  navigate to the file, right click it, select 'Properties'
->
>>>  'Security', it opens correctly (without crashing) and
displays the
>>>  owners etc.
>>>
>>>  The share in smb.conf is this:
>>>  [Demo]
>>>         path = /srv/samba/Demo/
>>>         read only = no
>>>
>>>  If it is crashing for you, we need to know why.
>>>  What OS ?
>>>  What version of Samba ?
>>>  What is in your smb.conf ?
>>>  What is the DC ?
>>>
>>>  Rowland

On Thu, 16 Aug 2018 20:16:03 +0200
Kacper <kacper at kacper.se> wrote:
> The OS is Windows 7 Enterprise (build 7601, SP1). Samba version 4.8.3,
> compiled on Centos 7.4.
> 
> smb.conf:
> # Global parameters
> [global]
>         dns forwarder = none
Why have you not set a forwarder ? does this domain (and its clients)
not connect to the internet ?
>         log level = 1
>         netbios name = DC1
>         realm = SAMDOM.TEST
>         server role = active directory domain controller
>         workgroup = SAMDOM
>         idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/samdom.test/scripts
>         read only = No
> 
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
> 
> [Demo]
>       path = /srv/samba/Demo
>         read only = No
>         create mask = 0666
>         directory mask = 0777
>         inherit permissions = Yes
>         inherit acls = Yes
>         browsable = Yes
And there is probably your problem, this is a DC and you shouldn't
use the 'create mask', 'directory mask' lines, the last three
lines
should be removed as well.
> 
> The shared directory looks like this:
> [root at dc1 Demo]# ls -la /srv/samba/Demo
> total 0
> drwxr-xr-x. 2 root root 31 Aug 16 19:54 .
> drwxr-xr-x. 3 root root 18 Aug 16 19:49 ..
> -rw-r--r--. 1 root root  0 Aug 16 19:54 alpha
> -rw-r--r--. 1 root root  0 Aug 16 19:54 beta
> 
> getfacl returns:
> [root at dc1 Demo]# getfacl /srv/samba/Demo/alpha
> # file: alpha
> # owner: root
> # group: root
> user::rw-
> group::r--
> other::r--
> 
> The crash only happens when a local unix group (in this case root) is
> set as the group for the shared file.
There is one very big problem with that theory, Administrator is
mapped (in idmap.ldb) to root, so when you read 'root' on a DC, you
can also read 'Administrator' (Which is most definitely a Domain
user) ;-)

Rowland

On Thu, Aug 16, 2018 at 07:35:46PM +0100, Rowland Penny via samba
wrote:
> > 
> > The crash only happens when a local unix group (in this case root) is
> > set as the group for the shared file.
> 
> There is one very big problem with that theory, Administrator is
> mapped (in idmap.ldb) to root, so when you read 'root' on a DC, you
> can also read 'Administrator' (Which is most definitely a Domain
> user) ;-)
Whatever the case explorer.exe shouldn't crash on any data
returned from the server. If it does that's a possible
security flaw and you should report it immediately to
Microsoft (I just fixed a similar problem with libsmbclient
in our recent security release, that's why I'm sensitive
to these things).