Univention Bugzilla – Bug 50601
The windows explorer crashes, if the share security section will be accessed
Last modified: 2021-08-05 15:47:14 CEST
Created attachment 10253 [details] Mark all identifier authorities documented by ms as valid in samba +++ This bug was initially created as a clone of Bug #49747 +++ A customer reported that his windows explorer crashes, if he tries to adjust the share settings in the security section. He also mentioned, that this only occurs at the main level of the shares. He found the cause of the explorer reaction. If the directory owner is set to root, this our default when you create a share, the explorer crashes. If you set the owner to administrator you can access the security section. ========================================================== In #Bug49747 we fixed this issue for Samba-Unix-Sids (S-1-22*), After costumer feedback, we found that there are several kinds of SIDs, which are not recognized as valid by Samba (but are valid) and can trigger these explorer crashes. An example would be S-1-15*, which are capability SIDs. Customers might delete them to avoid the crashes , but deleting these can cause Windows 10 crashes by itself. List of valid SID identifier authorities: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/c6ce4275-3d90-4890-ab3a-514745e4637e
I guess we will see more of this with Windows 10 (Windows 7 EOL). E.g. the "app container SIDs" which have the "application package authority" prefix S-1-15 have been introduced with Windows 8 but seem to gain more widespread use now.
Created attachment 10276 [details] add all documented predefined domains I updated the patch, so that the SIDs (S-1-22-1-0 ,S-1-22-2-0) are actually translated to their respective names (user root / group root).
Package: samba Version: 2:4.10.1-1A~4.4.0.202001130957 Branch: ucs_4.4-0 Scope: errata4.4-3 e133c683bc Bug #50601: Yaml Rebuild the package with the attached patch.
For QA: Env: Ucs-Master with samba, a joined windows machine. Create share via umc with owner root:root. Open the share with the windows explorer and check that it does not crash and the Sids are evaluated to readable names. Check the other Sids by running: samba-tool ntacl get --as-sddl file1 output would be something like: O:S-1-22-1-0G:S-1-22-2-0D:(A;;0x001f019f;;;S-1-22-2-0)(A;;0x00120089;;;S-1-22-2-0)(A;;0x00120089;;;WD) behind O: is the owner Sid, behing G: is the group Sid. Change both occurences of these Sids to the Sids you want to test, e.g. samba-tool ntacl set "O:S-1-18G:S-1-18-3D:(A;;0x001f019f;;;S-1-18)(A;;0x00120089;;;S-1-18-3)(A;;0x00120089;;;WD)" file1 and run: net cache flush open the share on the security tab again on your windows machine and check that it doesn't crash.
S-1-17 still triggered a crash. I fixed this in package 2:4.10.1-1A~4.4.0.202001131227 52d8f66d24 Bug #50601: Fix crash for S-1-17, yaml update
What I tested: Windows Explorer doesn't crash any more -> OK SIDs are resolved in Windows Explorer -> OK YAML -> OK
<http://errata.software-univention.de/ucs/4.4/424.html>