Bug 8458 - IE9 on Windows 7 cannot download files to samba 3.5.11 share
Summary: IE9 on Windows 7 cannot download files to samba 3.5.11 share
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.5.11
Hardware: All All
: P5 regression
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 8399
  Show dependency treegraph
 
Reported: 2011-09-14 21:26 UTC by Thomas Bork
Modified: 2012-05-23 20:43 UTC (History)
1 user (show)

See Also:


Attachments
Log with debug level 10 (830.12 KB, application/octet-stream)
2011-09-14 21:28 UTC, Thomas Bork
no flags Details
wireshark capture file (24.91 KB, application/octet-stream)
2011-09-15 20:19 UTC, Thomas Bork
no flags Details
new try (60.99 KB, application/octet-stream)
2011-09-15 23:05 UTC, Thomas Bork
no flags Details
Test patch (not final) (555 bytes, patch)
2011-09-16 01:04 UTC, Jeremy Allison
no flags Details
wireshark trace with NT_STATUS_PRIVILEGE_NOT_HELD in nttrans.c (68.82 KB, application/octet-stream)
2011-09-18 09:56 UTC, Thomas Bork
no flags Details
log.smbd with NT_STATUS_PRIVILEGE_NOT_HELD in nttrans.c (797.48 KB, application/octet-stream)
2011-09-18 10:04 UTC, Thomas Bork
no flags Details
The same action against a W2K3 server (115.13 KB, application/octet-stream)
2011-09-19 02:13 UTC, Thomas Bork
no flags Details
patch for 3.5.x (3.46 KB, patch)
2011-09-20 03:04 UTC, Jeremy Allison
no flags Details
Fix version for 3.6.1 (1.97 KB, patch)
2011-09-20 03:06 UTC, Jeremy Allison
no flags Details
Updated patch for 3.5.x (3.71 KB, patch)
2011-09-20 19:32 UTC, Jeremy Allison
no flags Details
git-am fix for 3.6.1 (2.78 KB, patch)
2011-09-22 21:08 UTC, Jeremy Allison
metze: review+
Details
git-am fix for 3.5.next (4.79 KB, patch)
2011-10-06 22:42 UTC, Jeremy Allison
metze: review-
Details
git-am fix for 3.5.next (4.25 KB, patch)
2011-10-07 16:02 UTC, Jeremy Allison
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Bork 2011-09-14 21:26:43 UTC
Internet Explorer 9 on Windows 7 cannot save files on shares from Samba 3.5.11. Firefox can do this with the same Samba configuration.
Internet Explorer 9 on Windows 7 _can_ save files on share from 3.4.13. So it's a regression.

Maybe this is a problem with delete on close on the temporary file xxx.partial, which will be created from IE9?

The new file without '.partial' cannot be created and the xxx.partial-file is only 0 Byte.
The downloaded file doesn't matter - tried it for example with

http://samba.org/samba/patches/patches-3.0.37/0001-s3-schannel-client-Push-the-domain-and-netbios-name-.patch

The share has 0777 nobody.nogroup, the share definition is

[downloads]
 comment = public directory on eis2161
 path = /downloads
 force create mode = 0777
 force directory mode= 0777
 browseable = yes
 writeable = yes

No have no acls on /downloads.
 
Jeremy said, this is not the same bug as in

https://bugzilla.samba.org/show_bug.cgi?id=8412

I already tried without oplocks and smb2 isn't activated in 3.5.11.
To track this down I activated a recycle dir in the share, because I wanted to see, which files with which content were deleted.

Share definition was:

[downloads]
 comment = public directory on eis2161
 path = /downloads
 force create mode = 0777
 force directory mode= 0777
 browseable = yes
 writeable = yes
 vfs objects = recycle
 recycle:repository = samba_recycle_bin/%u
 recycle:versions = yes
 recycle:keeptree = yes
 recycle:touch = yes
 recycle:maxsize = 0
 recycle:directory_mode = 0777
 recycle:subdir_mode = 0700 

If the recycle dir is activated, I'm ending with 0001-s3-schannel-client-Push-the-domain-and-netbios-name-.patch.bsz1jmp.partial with 0 Byte in the download dir (share) and 0001-s3-schannel-client-Push-the-domain-and-netbios-name-.patch with 0 Byte in the recycle dir 

root@eis2161:/downloads# ls -lR
.:
total 8
-rwxrwxrwx 1 tb users    0 Sep 11 19:29 0001-s3-schannel-client-Push-the-domain-and-netbios-name-.patch.bsz1jmp.partial
drwxrwxrwx 3 tb users 4096 Sep 11 19:29 samba_recycle_bin

./samba_recycle_bin:
total 4
drwx------ 2 tb users 4096 Sep 11 19:29 tb

./samba_recycle_bin/tb:
total 0
-rwxrwxrwx 1 tb users 0 Sep 11 19:29 0001-s3-schannel-client-Push-the-domain-and-netbios-name-.patch

der tom
Comment 1 Thomas Bork 2011-09-14 21:28:53 UTC
Created attachment 6891 [details]
Log with debug level 10
Comment 2 Jeremy Allison 2011-09-15 00:55:48 UTC
Can you attach a wireshark capture trace as well ? Might help in quickly narrowing down the problem.

Thanks,

Jeremy.
Comment 3 Thomas Bork 2011-09-15 20:19:22 UTC
Created attachment 6893 [details]
wireshark capture file
Comment 4 Jeremy Allison 2011-09-15 20:48:30 UTC
Sorry Thomas there's no SMB/SMB2 traffic in that capture file (no port 445 or port 139).
Jeremy.
Comment 5 Thomas Bork 2011-09-15 23:05:25 UTC
Created attachment 6894 [details]
new try
Comment 6 Jeremy Allison 2011-09-16 00:55:45 UTC
Thanks for that - very helpful !

It's packet 268 that is the problem. It's doing an NT_SET_SECURITY_DESCRIPTOR nttrans call, but setting the "Security Information" to 0x10.

We don't have a #define for that, so we reply with INVALID_PARAMETER in patcket 269. Here is what we have:

        typedef [public,bitmap32bit] bitmap {
                SECINFO_OWNER                = 0x00000001,
                SECINFO_GROUP                = 0x00000002,
                SECINFO_DACL                 = 0x00000004,
                SECINFO_SACL                 = 0x00000008,
                SECINFO_UNPROTECTED_SACL     = 0x10000000,
                SECINFO_UNPROTECTED_DACL     = 0x20000000,
                SECINFO_PROTECTED_SACL       = 0x40000000,
                SECINFO_PROTECTED_DACL       = 0x80000000
        } security_secinfo;

What does 0x10 actually mean here ?

Jeremy.
Comment 7 Jeremy Allison 2011-09-16 01:01:16 UTC
Ah - evil fuckers. It's here:

http://msdn.microsoft.com/en-us/library/Aa446645


OWNER_SECURITY_INFORMATION 0x00000001
GROUP_SECURITY_INFORMATION 0x00000002
DACL_SECURITY_INFORMATION 0x00000004
SACL_SECURITY_INFORMATION 0x00000008
LABEL_SECURITY_INFORMATION 0x00000010

Include the mandatory integrity label access control entry (ACE).

This isn't anywhere in the docs of course....

Jeremy.
Comment 8 Jeremy Allison 2011-09-16 01:04:38 UTC
Created attachment 6895 [details]
Test patch (not final)

Thomas, can you try this patch to see if it fixes the problem ? It's not a final patch but will confirm my theory.

Jeremy.
Comment 9 Thomas Bork 2011-09-16 22:35:05 UTC
> Thomas, can you try this patch to see if it fixes the problem ? It's not a
> final patch but will confirm my theory.

I think I can try this on sunday. Thanks!
Comment 10 Jeremy Allison 2011-09-16 23:15:41 UTC
The error message I'm returning in this patch might be wrong (NT_STATUS_ACCESS_DENIED). It might need to be NT_STATUS_PRIVILEGE_NOT_HELD instead. If the patch doesn't work as-is, try changing the error message to NT_STATUS_PRIVILEGE_NOT_HELD and testing again.

Cheers,

Jeremy.
Comment 11 Thomas Bork 2011-09-18 09:53:23 UTC
Both error messages are not working :(
I have a wireshark capture trace and a samba log with debug level 10 from the action with error message NT_STATUS_PRIVILEGE_NOT_HELD in nttrans.c.

der tom
Comment 12 Thomas Bork 2011-09-18 09:56:48 UTC
Created attachment 6909 [details]
wireshark trace with NT_STATUS_PRIVILEGE_NOT_HELD in nttrans.c
Comment 13 Thomas Bork 2011-09-18 10:04:06 UTC
Created attachment 6910 [details]
log.smbd with NT_STATUS_PRIVILEGE_NOT_HELD in nttrans.c
Comment 14 Jeremy Allison 2011-09-18 16:55:01 UTC
Ok, thanks. It's going to have to wait until Monday at the plugfest when I'll try setting the same thing to a Windows server as an unprivileged user and see what I get back.

Thanks for testing !

Jeremy.
Comment 15 Thomas Bork 2011-09-19 01:47:00 UTC
I _can_ save the same file from the same machine with the same Internet Explorer on a share of W2K3 as a member of the group users...
Comment 16 Thomas Bork 2011-09-19 02:13:53 UTC
Created attachment 6911 [details]
The same action against a W2K3 server
Comment 17 Jeremy Allison 2011-09-20 02:22:46 UTC
Ok, after a lot of work with Microsoft engineers here at the plugfest, we think we know what is going on :-).

New patch soon...

Jeremy.
Comment 18 Jeremy Allison 2011-09-20 03:04:48 UTC
Created attachment 6914 [details]
patch for 3.5.x

Thomas, please test - I think this will fix it.
Jeremy.
Comment 19 Jeremy Allison 2011-09-20 03:06:24 UTC
Created attachment 6915 [details]
Fix version for 3.6.1

Patch for 3.6.1.
Jeremy.
Comment 20 Stefan Metzmacher 2011-09-20 04:14:42 UTC
Jeremy, I think this is wrong see frames 269 and 270 in w2k3.pcap

Or am I missing something?
Comment 21 Jeremy Allison 2011-09-20 18:50:36 UTC
Yes you are correct. Updated patch will follow.

Jeremy.
Comment 22 Jeremy Allison 2011-09-20 19:32:02 UTC
Created attachment 6919 [details]
Updated patch for 3.5.x
Comment 23 Thomas Bork 2011-09-21 15:26:41 UTC
It's working now (tried only the last patch).
I'm ending now with the full file in the share and a 0-Byte-file with the same name in the recycle dir:

root@eis2161:/downloads# ls -lR
.:
total 12
-rwxrwxrwx 1 tb users  980 Sep 21 17:20 0001-s3-schannel-client-Push-the-domain-and-netbios-name-.patch
drwxrwxrwx 3 tb users 4096 Sep 21 17:21 samba_recycle_bin

./samba_recycle_bin:
total 4
drwx------ 2 tb users 4096 Sep 21 17:21 tb

./samba_recycle_bin/tb:
total 0
-rwxrwxrwx 1 tb users 0 Sep 21 17:21 0001-s3-schannel-client-Push-the-domain-and-netbios-name-.patch

Thank you!
Comment 24 Jeremy Allison 2011-09-22 21:08:05 UTC
Created attachment 6930 [details]
git-am fix for 3.6.1

Fix that went into master.
Comment 25 Jeremy Allison 2011-10-05 20:24:25 UTC
Comment on attachment 6919 [details]
Updated patch for 3.5.x

Needs including for 3.5.next.
Comment 26 Jeremy Allison 2011-10-05 20:26:04 UTC
Marking as blocker as we need to get this fix into 3.5.next and 3.6.1. IE9 can't save downloaded files onto a Samba share until we integrate this.

Jeremy.
Comment 27 Jeremy Allison 2011-10-05 20:26:21 UTC
Comment on attachment 6919 [details]
Updated patch for 3.5.x

Adding Michael.
Comment 28 Jeremy Allison 2011-10-05 20:26:36 UTC
Comment on attachment 6930 [details]
git-am fix for 3.6.1

Adding Michael.
Comment 29 Stefan Metzmacher 2011-10-06 07:59:29 UTC
Why is this hunk needed?

+       if (security_info_wanted & SECINFO_LABEL) {
+               /* Like W2K3 return a null object. */
+               psd->owner_sid = NULL;
+               psd->group_sid = NULL;
+               psd->dacl = NULL;
+               psd->sacl = NULL;
+               psd->type &= ~(SEC_DESC_DACL_PRESENT|SEC_DESC_SACL_PRESENT);
+       }
+

If we used get_null_nt_acl()
Comment 30 Jeremy Allison 2011-10-06 17:41:36 UTC
It's needed because unfortunately get_null_nt_acl() doesn't create an ACL like the one returned by W2K3 for the SECINFO_LABEL query.

get_null_nt_acl() calls:

make_standard_sec_desc( mem_ctx, &global_sid_World, &global_sid_World, NULL, &sd_size);

which returns an ACL with :

psd->owner_sid = global_sid_World
psd->group_sid = global_sid_World

set. So theoretically this hunk could just be:

                psd->owner_sid = NULL;
                psd->group_sid = NULL;

and I could lose the :

                psd->dacl = NULL;
                psd->sacl = NULL;
                psd->type &= ~(SEC_DESC_DACL_PRESENT|SEC_DESC_SACL_PRESENT);

part. But belt *and* braces, you know ? :-).

I could have created a new function :

get_null_label_nt_acl() which called:

make_standard_sec_desc( mem_ctx, NULL, NULL, NULL, &sd_size);

instead, but thought it was a little easier to reuse the existing code.
Let me know if you want me to make any of these changes.

Jeremy.
Comment 31 Stefan Metzmacher 2011-10-06 21:53:04 UTC
Comment on attachment 6930 [details]
git-am fix for 3.6.1

Looks ok
Comment 32 Stefan Metzmacher 2011-10-06 21:54:10 UTC
Comment on attachment 6919 [details]
Updated patch for 3.5.x

Can you upload a git am version of this one?
Comment 33 Jeremy Allison 2011-10-06 22:42:15 UTC
Created attachment 6977 [details]
git-am fix for 3.5.next

git-am format of the previous 3.5.next patch.
Comment 34 Stefan Metzmacher 2011-10-07 06:11:02 UTC
Comment on attachment 6977 [details]
git-am fix for 3.5.next

-	*acc_granted |= rights_mask;
+	*acc_granted |= saved_mask;

belongs to another bug
Comment 35 Jeremy Allison 2011-10-07 16:02:26 UTC
Created attachment 6980 [details]
git-am fix for 3.5.next

Thanks for spotting the erroneous extra segment metze. Didn't commit from a clean tree, sorry. This one should be ok.
Comment 36 Stefan Metzmacher 2011-10-07 22:45:51 UTC
Comment on attachment 6980 [details]
git-am fix for 3.5.next

Looks ok
Comment 37 Stefan Metzmacher 2011-10-07 22:46:18 UTC
Karolin, please pick for the releases
Comment 38 Karolin Seeger 2011-10-08 17:48:49 UTC
Pushed to v3-5-test and v3-6-test.
Closing out bug report.

Thanks!