[Samba] Windows ACLs

[Henry McLaughlin]

[global]

       netbios name = aphrodite
       security = ADS
       workgroup = SAMDOM
       realm = AD.SAMDOM.COM.AU

       log file = /var/log/samba/%m.log
       log level = 1

       dedicated keytab file = /etc/krb5.keytab
       kerberos method = secrets and keytab
       winbind refresh tickets = yes

       winbind trusted domains only = no
       winbind use default domain = yes
       winbind enum users  = yes
       winbind enum groups = yes

    # Important: The ranges of the default (*) idmap config
       # and the domain(s) must not overlap!

       # Default idmap config used for BUILTIN and local accounts/groups
       idmap config *:backend = tdb
       idmap config *:range = 2000-9999

       # idmap config for domain SAMDOM
       idmap config SAMDOM:backend = ad
       idmap config SAMDOM:schema_mode = rfc2307
       idmap config SAMDOM:range = 10000-99999

       # Use settings from AD for login shell and home directory
       winbind nss info = rfc2307

    username map = /etc/samba/user.map

[Demo]
       path = /srv/samba/Demo/
       read only = no


getfacl /mnt/disk2/samba/Administration
getfacl: Removing leading '/' from absolute path names
# file: mnt/disk2/samba/Administration
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
group::rwx
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:domain\040admins:---
default:mask::rwx
default:other::---


ls -l /srv/samba/
total 8
drwxrwxr-x+ 2 root domain admins 4096 Jan 20 12:54 Demo


getfacl /srv/samba/Demo
# file: Demo
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
group::rwx
group:domain\040admins:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:group::---
default:group:domain\040admins:---
default:mask::rwx
default:other::---


In Windows ADUC I can see my share however have problems setting the
permissions. As it stands:

share permissions are:
Everyone: Full Control

security settings are:
Everyone: Special - this folder only
Everyone: Special - subfolders and files only
root (Unix User\root): Full - This folder subfolders & files
CREATOR OWNER: Special - Subfolders & files only
CREATOR GROUP: Special - Subfolder & files only
Domain Admins: Special - This folder only
Domain Admins: Special - Subfolder and files only

If I remove "Everyone" from the share permissions and replace it with
"Domain Admins: Full Control" then I am unable to view the security
settings. I am logged in as SAMDOM\Administrator who is a member of "Domain
Admins"

"You do not have permission to view the current permission settings for
Demo (\\Aphrodite), but you can make permission changes."