Bug 50601

Summary: The windows explorer crashes, if the share security section will be accessed
Product: UCS Reporter: Julia Bremer <bremer>
Component: Samba4Assignee: Julia Bremer <bremer>
Status: CLOSED FIXED QA Contact: Jürn Brodersen <brodersen>
Severity: normal    
Priority: P5 CC: best, botner, bremer, brodersen, grandjean, heidelberger, hotsummer55, markus.daehlmann, requate, scheinig, steuwer, stoeckigt, v.mayer, voelker
Version: UCS 4.4Flags: bremer: Patch_Available+
Target Milestone: UCS 4.4-3-errata   
Hardware: Other   
OS: Linux   
URL: https://help.univention.com/t/problem-the-windows-explorer-crashes-if-you-try-to-adjust-the-permission-on-the-security-tab/12478
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=53629
What kind of report is it?: Bug Report What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.143 Enterprise Customer affected?: Yes
School Customer affected?: Yes ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 49747    
Bug Blocks:    
Attachments: Mark all identifier authorities documented by ms as valid in samba
add all documented predefined domains

Description Julia Bremer univentionstaff 2019-12-05 10:30:27 CET 
Created attachment 10253 [details]
Mark all identifier authorities documented by ms as valid in samba

+++ This bug was initially created as a clone of Bug #49747 +++

A customer reported that his windows explorer crashes, if he tries to adjust the share settings in the security section. He also mentioned, that this only occurs at the main level of the shares.

He found the cause of the explorer reaction. If the directory owner is set to root, this our default when you create a share, the explorer crashes. If you set the owner to administrator you can access the security section.

==========================================================

In #Bug49747 we fixed this issue for Samba-Unix-Sids (S-1-22*), 
After costumer feedback, we found that there are several kinds of SIDs, which are not recognized as valid by Samba (but are valid) and can trigger these explorer crashes.

An example would be S-1-15*, which are capability SIDs. 
Customers might delete them to avoid the crashes , but deleting these can cause Windows 10 crashes by itself. 

List of valid SID identifier authorities:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/c6ce4275-3d90-4890-ab3a-514745e4637e
Comment 1 Arvid Requate univentionstaff 2019-12-05 14:24:19 CET 
I guess we will see more of this with Windows 10 (Windows 7 EOL).
E.g. the "app container SIDs" which have the "application package authority" prefix S-1-15 have been introduced with Windows 8 but seem to gain more widespread use now.
Comment 2 Julia Bremer univentionstaff 2019-12-18 10:12:09 CET 
Created attachment 10276 [details]
add all documented predefined domains

I updated the patch, so that the SIDs (S-1-22-1-0 ,S-1-22-2-0) are actually translated to their respective names (user root / group root).
Comment 3 Julia Bremer univentionstaff 2020-01-13 10:20:14 CET 
Package: samba
Version: 2:4.10.1-1A~4.4.0.202001130957
Branch: ucs_4.4-0
Scope: errata4.4-3

e133c683bc Bug #50601: Yaml

Rebuild the package with the attached patch.
Comment 4 Julia Bremer univentionstaff 2020-01-13 11:59:15 CET 
For QA:

Env: Ucs-Master with samba, a joined windows machine.
Create share via umc with owner root:root. 
Open the share with the windows explorer and check that it does not crash and the Sids are evaluated to readable names.

Check the other Sids by running:

samba-tool ntacl get --as-sddl file1

output would be something like:

O:S-1-22-1-0G:S-1-22-2-0D:(A;;0x001f019f;;;S-1-22-2-0)(A;;0x00120089;;;S-1-22-2-0)(A;;0x00120089;;;WD)

behind O: is the owner Sid, behing G: is the group Sid. 
Change both occurences of these Sids to the Sids you want to test, e.g.

samba-tool ntacl set "O:S-1-18G:S-1-18-3D:(A;;0x001f019f;;;S-1-18)(A;;0x00120089;;;S-1-18-3)(A;;0x00120089;;;WD)" file1

and run:

net cache flush 

open the share on the security tab again on your windows machine and check that it doesn't crash.
Comment 5 Julia Bremer univentionstaff 2020-01-13 12:31:42 CET 
S-1-17 still triggered a crash.

I fixed this in package 2:4.10.1-1A~4.4.0.202001131227

52d8f66d24 Bug #50601: Fix crash for S-1-17, yaml update
Comment 6 Jürn Brodersen univentionstaff 2020-01-14 16:46:37 CET 
What I tested:

Windows Explorer doesn't crash any more -> OK
SIDs are resolved in Windows Explorer -> OK
YAML -> OK
Comment 7 Erik Damrose univentionstaff 2020-01-21 15:48:59 CET 
<http://errata.software-univention.de/ucs/4.4/424.html>