[Samba] samba menber of AD domain and ACL support question

[Eric Belhomme]

Hi,

I'm running a file server on a Debian Sarge Server with official packaged 
samba packages from debian (3.0.14a-Debian).

This server is a member of an AD Windows 2000 domain, so kerberos and 
winbind are well configured on this computer (AD members can log on and 
so on...)

Samba shares a volumes formatted with xfs from stock debian kernel 
(2.6.8-2-386) with acl extentions activated :

[impressions]
    path = /var/smbspool/pdf/nobody
    browseable = yes
    create mode = 666
    writable = yes
    nt acl support = yes

I put some basic acls ont his share :
srvpdf:/var/smbspool/pdf# getfacl ./nobody
# file: nobody
# owner: nobody
# group: nogroup
user::rwx
user:ICSB2K+administrateur:rwx
group::rwx
group:ICSB2K+utilisa.\040du\040domaine:r-x
group:ICSB2K+technique:rwx
mask::rwx
other::rwx

So ACLs on this share reports some members should get all privileges on 
this directory.

Now let's go on a Win2k workstation an logon at Administrator... If I 
browse the share and open properties/security options :
- users are well listed, for eatch user, there absolutly no privilege 
cases marked (all cases are blank)
- if I open advanced privileges, i can see users have rights (for example 
nobody and icsb2k/administrator have all privileges activated, 
icsb/domain users have only some)
- if i try to modify privileges (i'm logged a icsb2k\administrator) I get 
a message "Unable to save privileges on this share\n access forbidden" 
(axproximate translation, my windows is in french...)

my questions are :
- why get I a strange display on security option ?
- why can't I able to modify privileges via windows ?

regards,

-- 
Rico