This article describes why after upgrading to Samba 4 that executable files are no longer able to be run from the share on Windows
Centrify Adbindproxy 5.3.0 on All Platforms with Stock Samba 4
After upgrading to Stock samba 4 and installing Centrify adbindproxy, batch scripts and executable files that reside on the samba share are no longer able to be run from the Windows machine.
This issue is NOT related to Centrify or Centrify Adbindproxy.
This issue occurs because of the 'acl allow execute always' parameter has been changed from 'yes' to 'no' in Samba 4.
Please see the entry for 'acl allow execute always' in the man page for 'smb.conf' for further information:
acl allow execute always (S)
This boolean parameter controls the behaviour of smbd(8) when receiving a protocol request of "open for execution" from a Windows client. With Samba 3.6 and older, the execution right in the ACL was not checked, so a client could execute a file even if it did not have execute rights on the file. In Samba 4.0, this has been fixed, so that by default, i.e. when this parameter is set to "False", "open for execution" is now denied when execution permissions are not present.
If this parameter is set to "True", Samba does not check execute permissions on "open for execution", thus re-establishing the behaviour of Samba 3.6. This can be useful to smoothen upgrades from older Samba versions to 4.0 and newer. This setting is not meant to be used as a permanent setting, but as a temporary relief: It is recommended to fix the permissions in the ACLs and reset this parameter to the default after a certain transition period.
Default: acl allow execute always = no
Fix the permissions in the ACLs on the share itself or set the 'acl allow execute always = True'