Hello,
I have set up a Windows 2008 R2 domain controller and Samba file server
(2:3.5.8) acting as a domain member (security = ads). Kerberos is
working fine, access to user's directory on Samba server and saving
files to mapped drive is OK.
But when I try to download something using IE9, the download manager
cannot save any file to the network share. Does not matter if the user
belongs to "Domain Admin" or "Domain Users" security group.
The problem looks exactly the same as described by Microsoft:
http://support.microsoft.com/kb/2589171/en-us
Download dialog disappears, then reappears again. And when clicking
save, finally dismisses but only .partial file is saved to Samba share.
Microsoft says it's something to do with the permissions being set as
"Change" not "Full Control" and they have supplied the patch
for this
problem.
The patch in my case is installed and I have tested the permission setup
against the Win2008 domain controller. Everything is working fine. All
users can download to a share even if they do not have the "Full
Control" permission in that directory.
With Samba it went interesting: when launching IE9 as administrator
(left click on icon, "Run as administrator") the download worked. The
file was saved to the Samba share. It worked with whatever user was
logged in to the workstation. Even when logging on locally and then
accessing Samba as some domain user it was possible to complete the
download as long as IE9 was running under administrator.
The only user who could save to Samba share directly was the domain
administrator (DOMAIN\Administrator).
I used the vfs objects = full_audit to capture the VFS activity:
http://files.risk.ee/smb_fail.txt (running as regular user)
http://files.risk.ee/smb_success.txt (when running as admin)
Also tested with "smbd -d4":
http://files.risk.ee/smbd_test_fail.txt (regular user)
http://files.risk.ee/smbd_test_success.txt (admin)
I noticed that when failing the smbd was not happy about the buffer:
(SMBnttrans) NT_STATUS_BUFFER_TOO_SMALL
But unfortunately I'm more a Samba user than a developer therefore I
cannot make any big conclusions about the logs.
And my conf is here (Ubuntu default with my changes):
http://files.risk.ee/smb.conf
--
rgrds,
Ranger
