Bug 12428 - Lookup user for ACL editing to Samba fails for Windows 8.1 but works for some earlier and later Windows
Summary: Lookup user for ACL editing to Samba fails for Windows 8.1 but works for some...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.5.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-15 20:45 UTC by Steve French
Modified: 2016-11-20 00:48 UTC (History)
2 users (show)

See Also:


Attachments
wireshark trace of failure (83.30 KB, application/x-pcapng)
2016-11-15 20:50 UTC, Steve French
no flags Details
wireshark trace of success (57.78 KB, application/x-pcapng)
2016-11-15 20:50 UTC, Steve French
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Steve French 2016-11-15 20:45:22 UTC
Was experimenting with some ACL editing issues that our testers reported, and ran into an interesting issue.
 
When you add an ACE for a remote user (ie a user on the Samba server) in Windows Explorer's ACL editor (see e.g. https://medschool.duke.edu/sites/medschool.duke.edu/files/upload/explorer_users_computers.jpg)
 
Our testers noticed (and I confirmed with e.g. Samba 4.5, on Fedora etc.) that if you try to add an ACE for a user (in my case a user defined on the remote system, ie Samba server) from Windows 8.1 (among others) it fails, but for Windows 10 (and Windows 2012R2, and our testers reported it worked with Windows 2016 too) it works.
 
Comparing wireshark traces:
1) netwkstagetinfo
2) getinfo on lsarpc
3) lsa_OpenPolicy2 (only on Windows 10)
4) lsa_LookupNames (only on Windows 10)
5) DsRoleGetPrimaryDomainInfo

Repro steps:
1)      Open Windows Explorer on Windows 8.1 Client
2)      Navigate to remote SMB Storage share (where Client and Server are joined to the same domain)
3)      Right-click folder and select Properties
4)      Select Security tab, click Edit…
5)      Click Add… to enter new permissions
6)      Enter the objects names to select, type a user name valid on the the remote system (Samba server, but not a valid local user) and click "check names"

For the working case (e.g. Windows 2012R2) it filled in the user name - changing "admin" to "192.168.93.17\admin" - but the failing case (Windows 8.1 for example) it returned "Name Not Found"
Comment 1 Steve French 2016-11-15 20:50:18 UTC
Created attachment 12666 [details]
wireshark trace of failure
Comment 2 Steve French 2016-11-15 20:50:48 UTC
Created attachment 12667 [details]
wireshark trace of success
Comment 3 Steve French 2016-11-15 20:51:43 UTC
also asked dochelp at Microsoft for any ideas why client behavior differs here