Internet Explorer 9 on Windows 7 cannot save files on shares from Samba 3.5.11. Firefox can do this with the same Samba configuration. Internet Explorer 9 on Windows 7 _can_ save files on share from 3.4.13. So it's a regression. Maybe this is a problem with delete on close on the temporary file xxx.partial, which will be created from IE9? The new file without '.partial' cannot be created and the xxx.partial-file is only 0 Byte. The downloaded file doesn't matter - tried it for example with http://samba.org/samba/patches/patches-3.0.37/0001-s3-schannel-client-Push-the-domain-and-netbios-name-.patch The share has 0777 nobody.nogroup, the share definition is [downloads] comment = public directory on eis2161 path = /downloads force create mode = 0777 force directory mode= 0777 browseable = yes writeable = yes No have no acls on /downloads. Jeremy said, this is not the same bug as in https://bugzilla.samba.org/show_bug.cgi?id=8412 I already tried without oplocks and smb2 isn't activated in 3.5.11. To track this down I activated a recycle dir in the share, because I wanted to see, which files with which content were deleted. Share definition was: [downloads] comment = public directory on eis2161 path = /downloads force create mode = 0777 force directory mode= 0777 browseable = yes writeable = yes vfs objects = recycle recycle:repository = samba_recycle_bin/%u recycle:versions = yes recycle:keeptree = yes recycle:touch = yes recycle:maxsize = 0 recycle:directory_mode = 0777 recycle:subdir_mode = 0700 If the recycle dir is activated, I'm ending with 0001-s3-schannel-client-Push-the-domain-and-netbios-name-.patch.bsz1jmp.partial with 0 Byte in the download dir (share) and 0001-s3-schannel-client-Push-the-domain-and-netbios-name-.patch with 0 Byte in the recycle dir root@eis2161:/downloads# ls -lR .: total 8 -rwxrwxrwx 1 tb users 0 Sep 11 19:29 0001-s3-schannel-client-Push-the-domain-and-netbios-name-.patch.bsz1jmp.partial drwxrwxrwx 3 tb users 4096 Sep 11 19:29 samba_recycle_bin ./samba_recycle_bin: total 4 drwx------ 2 tb users 4096 Sep 11 19:29 tb ./samba_recycle_bin/tb: total 0 -rwxrwxrwx 1 tb users 0 Sep 11 19:29 0001-s3-schannel-client-Push-the-domain-and-netbios-name-.patch der tom
Created attachment 6891 [details] Log with debug level 10
Can you attach a wireshark capture trace as well ? Might help in quickly narrowing down the problem. Thanks, Jeremy.
Created attachment 6893 [details] wireshark capture file
Sorry Thomas there's no SMB/SMB2 traffic in that capture file (no port 445 or port 139). Jeremy.
Created attachment 6894 [details] new try
Thanks for that - very helpful ! It's packet 268 that is the problem. It's doing an NT_SET_SECURITY_DESCRIPTOR nttrans call, but setting the "Security Information" to 0x10. We don't have a #define for that, so we reply with INVALID_PARAMETER in patcket 269. Here is what we have: typedef [public,bitmap32bit] bitmap { SECINFO_OWNER = 0x00000001, SECINFO_GROUP = 0x00000002, SECINFO_DACL = 0x00000004, SECINFO_SACL = 0x00000008, SECINFO_UNPROTECTED_SACL = 0x10000000, SECINFO_UNPROTECTED_DACL = 0x20000000, SECINFO_PROTECTED_SACL = 0x40000000, SECINFO_PROTECTED_DACL = 0x80000000 } security_secinfo; What does 0x10 actually mean here ? Jeremy.
Ah - evil fuckers. It's here: http://msdn.microsoft.com/en-us/library/Aa446645 OWNER_SECURITY_INFORMATION 0x00000001 GROUP_SECURITY_INFORMATION 0x00000002 DACL_SECURITY_INFORMATION 0x00000004 SACL_SECURITY_INFORMATION 0x00000008 LABEL_SECURITY_INFORMATION 0x00000010 Include the mandatory integrity label access control entry (ACE). This isn't anywhere in the docs of course.... Jeremy.
Created attachment 6895 [details] Test patch (not final) Thomas, can you try this patch to see if it fixes the problem ? It's not a final patch but will confirm my theory. Jeremy.
> Thomas, can you try this patch to see if it fixes the problem ? It's not a > final patch but will confirm my theory. I think I can try this on sunday. Thanks!
The error message I'm returning in this patch might be wrong (NT_STATUS_ACCESS_DENIED). It might need to be NT_STATUS_PRIVILEGE_NOT_HELD instead. If the patch doesn't work as-is, try changing the error message to NT_STATUS_PRIVILEGE_NOT_HELD and testing again. Cheers, Jeremy.
Both error messages are not working :( I have a wireshark capture trace and a samba log with debug level 10 from the action with error message NT_STATUS_PRIVILEGE_NOT_HELD in nttrans.c. der tom
Created attachment 6909 [details] wireshark trace with NT_STATUS_PRIVILEGE_NOT_HELD in nttrans.c
Created attachment 6910 [details] log.smbd with NT_STATUS_PRIVILEGE_NOT_HELD in nttrans.c
Ok, thanks. It's going to have to wait until Monday at the plugfest when I'll try setting the same thing to a Windows server as an unprivileged user and see what I get back. Thanks for testing ! Jeremy.
I _can_ save the same file from the same machine with the same Internet Explorer on a share of W2K3 as a member of the group users...
Created attachment 6911 [details] The same action against a W2K3 server
Ok, after a lot of work with Microsoft engineers here at the plugfest, we think we know what is going on :-). New patch soon... Jeremy.
Created attachment 6914 [details] patch for 3.5.x Thomas, please test - I think this will fix it. Jeremy.
Created attachment 6915 [details] Fix version for 3.6.1 Patch for 3.6.1. Jeremy.
Jeremy, I think this is wrong see frames 269 and 270 in w2k3.pcap Or am I missing something?
Yes you are correct. Updated patch will follow. Jeremy.
Created attachment 6919 [details] Updated patch for 3.5.x
It's working now (tried only the last patch). I'm ending now with the full file in the share and a 0-Byte-file with the same name in the recycle dir: root@eis2161:/downloads# ls -lR .: total 12 -rwxrwxrwx 1 tb users 980 Sep 21 17:20 0001-s3-schannel-client-Push-the-domain-and-netbios-name-.patch drwxrwxrwx 3 tb users 4096 Sep 21 17:21 samba_recycle_bin ./samba_recycle_bin: total 4 drwx------ 2 tb users 4096 Sep 21 17:21 tb ./samba_recycle_bin/tb: total 0 -rwxrwxrwx 1 tb users 0 Sep 21 17:21 0001-s3-schannel-client-Push-the-domain-and-netbios-name-.patch Thank you!
Created attachment 6930 [details] git-am fix for 3.6.1 Fix that went into master.
Comment on attachment 6919 [details] Updated patch for 3.5.x Needs including for 3.5.next.
Marking as blocker as we need to get this fix into 3.5.next and 3.6.1. IE9 can't save downloaded files onto a Samba share until we integrate this. Jeremy.
Comment on attachment 6919 [details] Updated patch for 3.5.x Adding Michael.
Comment on attachment 6930 [details] git-am fix for 3.6.1 Adding Michael.
Why is this hunk needed? + if (security_info_wanted & SECINFO_LABEL) { + /* Like W2K3 return a null object. */ + psd->owner_sid = NULL; + psd->group_sid = NULL; + psd->dacl = NULL; + psd->sacl = NULL; + psd->type &= ~(SEC_DESC_DACL_PRESENT|SEC_DESC_SACL_PRESENT); + } + If we used get_null_nt_acl()
It's needed because unfortunately get_null_nt_acl() doesn't create an ACL like the one returned by W2K3 for the SECINFO_LABEL query. get_null_nt_acl() calls: make_standard_sec_desc( mem_ctx, &global_sid_World, &global_sid_World, NULL, &sd_size); which returns an ACL with : psd->owner_sid = global_sid_World psd->group_sid = global_sid_World set. So theoretically this hunk could just be: psd->owner_sid = NULL; psd->group_sid = NULL; and I could lose the : psd->dacl = NULL; psd->sacl = NULL; psd->type &= ~(SEC_DESC_DACL_PRESENT|SEC_DESC_SACL_PRESENT); part. But belt *and* braces, you know ? :-). I could have created a new function : get_null_label_nt_acl() which called: make_standard_sec_desc( mem_ctx, NULL, NULL, NULL, &sd_size); instead, but thought it was a little easier to reuse the existing code. Let me know if you want me to make any of these changes. Jeremy.
Comment on attachment 6930 [details] git-am fix for 3.6.1 Looks ok
Comment on attachment 6919 [details] Updated patch for 3.5.x Can you upload a git am version of this one?
Created attachment 6977 [details] git-am fix for 3.5.next git-am format of the previous 3.5.next patch.
Comment on attachment 6977 [details] git-am fix for 3.5.next - *acc_granted |= rights_mask; + *acc_granted |= saved_mask; belongs to another bug
Created attachment 6980 [details] git-am fix for 3.5.next Thanks for spotting the erroneous extra segment metze. Didn't commit from a clean tree, sorry. This one should be ok.
Comment on attachment 6980 [details] git-am fix for 3.5.next Looks ok
Karolin, please pick for the releases
Pushed to v3-5-test and v3-6-test. Closing out bug report. Thanks!