[Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\

[Jens Nissen]

Very embarassing indeed :-()

What I do: Put the "Authenticated Users" to the list of users already
having access. I then assign some rights (let's say Read and Write) and
then I press OK.
What I see: After reopening the GUI (or pressing Update), the entry has
simply vanished. Checking with getfacl shows, that "Authenticated Users"
have received no ACL entry.

What is even stranger: I set the permissions for "Authenticated Users"
with setfacl and edit a completely different domain user ACL entry and
press OK again.
What I see: The ACL entry for "Authenticated Users" has gone. The ACL
entry for the domain user is perfectly oK. Again, I checked with getfacl
that what the GUI shows indeed is correct.

I'm using security=ADS - may this have an impact?

Jens

Jeremy Allison wrote:
> On Thu, Apr 12, 2007 at 08:06:21PM +0200, Jens Nissen wrote:
>> I cannot set rights on a arbitrary file or folder for the Windows
>> predefined group "Authenticated Users" (which has SID S-1-5-11) via
>> SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog.
>>
>> Everything else works:
>> - I can set rights for any other domain group.
>> - I can read the ACL entry for "Authenticated Users" in the Windows 2000
>> File Attribute Dialog if I set it manually with setfacl before
>> - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked
>> with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the
>> existence of this predefined group.
>>
>> What am I doing wrong? Is this supposed to work?
>> Is there a workaround or any other suitable mapping for this group?
>>
>> In the "Unofficial Samba + ACL Howto", there is a reference (chapter
>> 3.1.4) that this might not work, but that was back in 2003 and 4 years
>> have passed since then.
> 
> What fails ? Selecting the user in the GUI ? More info on
> exactly what isn't working would be good.
> 
> Jeremy.
>