Applies to:

Centrify Adbindproxy 5.3.0 on All Platforms with Stock Samba 4


Problem:

After upgrading to Stock samba 4 and installing Centrify adbindproxy, batch scripts and executable files that reside on the samba share are no longer able to be run from the Windows machine.


Cause:

This issue is NOT related to Centrify or Centrify Adbindproxy. 

This issue occurs because of the 'acl allow execute always' parameter has been changed from 'yes' to 'no' in Samba 4.

Please see the entry for 'acl allow execute always' in the man page for 'smb.conf' for further information:

acl allow execute always (S)

This boolean parameter controls the behaviour of smbd(8) when
receiving a protocol request of "open for execution" from a Windows
client. With Samba 3.6 and older, the execution right in the ACL
was not checked, so a client could execute a file even if it did
not have execute rights on the file. In Samba 4.0, this has been
fixed, so that by default, i.e. when this parameter is set to
"False", "open for execution" is now denied when execution
permissions are not present.

If this parameter is set to "True", Samba does not check execute
permissions on "open for execution", thus re-establishing the
behaviour of Samba 3.6. This can be useful to smoothen upgrades
from older Samba versions to 4.0 and newer. This setting is not
meant to be used as a permanent setting, but as a temporary relief:
It is recommended to fix the permissions in the ACLs and reset this
parameter to the default after a certain transition period.

Default: acl allow execute always = no


Workaround:

Fix the permissions in the ACLs on the share itself or set the 'acl allow execute always = True'