[Samba] Cannot set Windows ACL security permissions Ubuntu 18.04 LXD privileged container

Wed Sep 12 05:50:11 UTC 2018

Set the permissions to drwxrwx---+ and make sure 'vfs objects = 
acl_xattr' is set in smb.conf.

Good luck

Jochen

Am 12.09.2018 um 02:14 schrieb Jonathan Kreider via samba:
> I'm tying to set up a member server for serving files following the
> instructions at:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.
>
> Since I'm not an expert with log files or debugging, I need help
> troubleshooting the following:
>
> When I get to the part where I connect to the member server from the
> Windows Computer Management tool, I get a long message starting with
> "Computer FS3.MYDOM.COM cannot be connected. ..."
>
> But then the tool connects anyway and lets me change the "Share
> permissions" settings. I can add and delete groups here.
>
> But when I click on the security tab I get a message "You must have read
> permissions to view the properties of this object."  Other times, the tab
> has displayed properly and allowed me to add groups and change permissions,
> but then it won't allow me to save the changes.
>
> Shared directory permissions:
> drwxrwxrwx  2 root   KMS2\domain admins  2 Sep 11 22:40 shared/
>
> testparm output:
> # Global parameters
> [global]
>          dns proxy = No
>          log file = /var/log/samba/log.%m
>          map to guest = Bad User
>          max log size = 1000
>          panic action = /usr/share/samba/panic-action %d
>          realm = KMS2.SAMDOM.COM (sanitized)
>          security = ADS
>          server role = member server
>          server string = %h server (Samba, Ubuntu)
>          username map = /etc/samba/user.map
>          winbind refresh tickets = Yes
>          workgroup = KMS2
>          acl_xattr:default acl style = windows  (tried with and without -
> could not tell a difference)
>          acl_xattr:ignore system acls = yes     (tried with and without -
> could not tell a difference)
>          idmap config kms2 : range = 10000-19999
>          idmap config kms2 : backend = rid
>          idmap config * : range = 3000-7999
>          idmap config * : backend = tdb
>          map acl inherit = Yes
>          store dos attributes = Yes
>          vfs objects = acl_xattr
>
> [printers]
>          browseable = No
>          comment = All Printers
>          create mask = 0700
>          path = /var/spool/samba
>          printable = Yes
>
> [print$]
>          comment = Printer Drivers
>          path = /var/lib/samba/printers
>
> [Shared]
>          path = /home/shared
>          read only = No
>          acl_xattr:default acl style = windows  (tried with and without -
> could not tell a difference)
>          acl_xattr:ignore system acls = yes  (tried with and without - could
> not tell a difference)
>
> Environment: Ubuntu 18.04 in an LXD privileged container on a Ubuntu 16.04
> host
> Samba Version = 4.7.6 (what ships with Ubuntu 18.04 by default)
> AD DC = Samba 4.3.11 on Ubuntu 16.04 LTS inside a LXD privileged container
> on the same host as above.
> Second AD DC = Samba 4.7.6-Ubuntu on Ubuntu 18.04 inside a privileged
> container on same host.
>
> The underlying file system is zfs-on-linux and in all cases I set the
> following zfs attributes:
> xattrs=sa
> aclinherit=passthrough
> acltype=posix
>
> A member server fs3 w/Samba 4.7.6-Ubuntu also privileged on the same host.
> All workstations on the network are successfully joined to AD.
> Windows OS = 10 1803, But RSAT is 17xx b/c the RSAT 1803 doesn't have the
> DNS tools. so I had to downgrade.
>
> All containers are "privileged" b/c samba NTACLs use the "security"
> namespace which requires root privileges. This seems to work for the AD DCs
> - I can't get the AD DCs to work in unprivileged mode.