[Samba] Changing ACLs dont work, clicking 'apply' restores old ACL

[Edvard Fagerholm]

Hello!

I'm building a samba fileserver that would share the same files for both linux
and UNIX clients and ACLs should still work from windows. The UNIX clients
don't have any users either, because all user information is taken from an AD.

The setup is the following:

Samba 3rc1 fileserver
Win2k3 AD Server
+ Win2k clients and Linux clients

Basically the win2k3 AD schema has been updated with AD4Unix, because we want
to control gid and uid mappings manually. Then we have all linux clients mount
the home directories via NFS, while windows clients do it via Samba.

Linux clients use kerberos for authentication and nss_ldap for mapping uids and
gids to their respective usernames and groups. This works fine and all windows
users with a uid and gid specified in AD are visible to the linux clients and
they can log in and get their $HOME pointed to the location specified in
AD4Unix. So that part works perfectly.

Now the Windows part doesn't. Windows users can login and they get their home
mapped correctly. However, when I want to change an ACL it doesn't work. I can
open the security tab and edit the ACL, but when I click apply, the dialog box
flashes and the original ACL is listed, so it ignores the changes without
giving any error message. Also the ACL window doesn't list the name of the
owner. It prints Everyone, and the group name, but for the owner it just prints
its SID instead of the username. If I use smbcacls to list the ACL for a file,
then it prints the username instead of the SID. I haven't tried to add and ACL
using smbcacls, because it seems I'm stupid enough to not figure out its syntax
(if I type smbcacls //localhost/homes file -A ACL:GROUP\user:ALLOWED/0/CHANGE,
I get "Failed to parse ACL ACL::GROUP\user).

One thing that bothers me about smbcacls' output is that users are shown as
ACL:FILESERVER\user instead of ACL:DOMAIN\user. Is this correct?

Files are stored on a XFS filesystem and getfacls and setfacls work as they
should. I'm not running winbind and I wouldn't want to do it either, because I
have uids and gids already specified for the user in the AD. So, everything
else works except the ACLs, any ideas?

Regards,
Edvard

----- BEGIN smb.conf -----
[global]
        workgroup = TEST
        realm = TEST.domain.dom
        server string = File Server

        log file = /var/log/samba/%m.log
        max log size = 0

        log level = 3

        security = ADS
        password server = <AD-server hostname>
        client ntlmv2 auth = yes
        encrypt passwords = yes
        map acl inherit = yes

        client use spnego = no

        null passwords = no
        local master = no

[homes]
        path = /share/rhome/%U
        comment = Hemkatalog
        browseable = yes
        writable = yes
        create mode = 0600
        directory mode = 0700
        guest ok = no

[medlem]
        path = /share/rhome
        comment = Medlem
        browseable = yes
        writable = yes
        create mode = 0600
        directory mode = 0700
        guest ok = no

[scratch]
        comment = Skräp
        path = /share/scratch
        browseable = yes
        writable = yes
        guest ok = no
----- END smb.conf -----