[Samba] Cannot set Windows ACL security permissions Ubuntu 18.04 LXD privileged container

Wed Sep 12 08:17:29 UTC 2018

On Tue, 11 Sep 2018 20:14:58 -0400
Jonathan Kreider via samba <samba at lists.samba.org> wrote:

> I'm tying to set up a member server for serving files following the
> instructions at:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.
> 
> Since I'm not an expert with log files or debugging, I need help
> troubleshooting the following:
> 
> When I get to the part where I connect to the member server from the
> Windows Computer Management tool, I get a long message starting with
> "Computer FS3.MYDOM.COM cannot be connected. ..."
> 
> But then the tool connects anyway and lets me change the "Share
> permissions" settings. I can add and delete groups here.
> 
> But when I click on the security tab I get a message "You must have
> read permissions to view the properties of this object."  Other
> times, the tab has displayed properly and allowed me to add groups
> and change permissions, but then it won't allow me to save the
> changes.
> 
> Shared directory permissions:
> drwxrwxrwx  2 root   KMS2\domain admins  2 Sep 11 22:40 shared/
> 
> testparm output:
> # Global parameters
> [global]
>         dns proxy = No
>         log file = /var/log/samba/log.%m
>         map to guest = Bad User
>         max log size = 1000
>         panic action = /usr/share/samba/panic-action %d
>         realm = KMS2.SAMDOM.COM (sanitized)
>         security = ADS
>         server role = member server
>         server string = %h server (Samba, Ubuntu)
>         username map = /etc/samba/user.map
>         winbind refresh tickets = Yes
>         workgroup = KMS2
>         acl_xattr:default acl style = windows  (tried with and
> without - could not tell a difference)
>         acl_xattr:ignore system acls = yes     (tried with and
> without - could not tell a difference)
>         idmap config kms2 : range = 10000-19999
>         idmap config kms2 : backend = rid
>         idmap config * : range = 3000-7999
>         idmap config * : backend = tdb
>         map acl inherit = Yes
>         store dos attributes = Yes
>         vfs objects = acl_xattr
> 
> [printers]
>         browseable = No
>         comment = All Printers
>         create mask = 0700
>         path = /var/spool/samba
>         printable = Yes
> 
> [print$]
>         comment = Printer Drivers
>         path = /var/lib/samba/printers
> 
> [Shared]
>         path = /home/shared
>         read only = No
>         acl_xattr:default acl style = windows  (tried with and
> without - could not tell a difference)
>         acl_xattr:ignore system acls = yes  (tried with and without -
> could not tell a difference)
> 
> Environment: Ubuntu 18.04 in an LXD privileged container on a Ubuntu
> 16.04 host
> Samba Version = 4.7.6 (what ships with Ubuntu 18.04 by default)
> AD DC = Samba 4.3.11 on Ubuntu 16.04 LTS inside a LXD privileged
> container on the same host as above.
> Second AD DC = Samba 4.7.6-Ubuntu on Ubuntu 18.04 inside a privileged
> container on same host.
> 
> The underlying file system is zfs-on-linux and in all cases I set the
> following zfs attributes:
> xattrs=sa
> aclinherit=passthrough
> acltype=posix
> 
> A member server fs3 w/Samba 4.7.6-Ubuntu also privileged on the same
> host. All workstations on the network are successfully joined to AD.
> Windows OS = 10 1803, But RSAT is 17xx b/c the RSAT 1803 doesn't have
> the DNS tools. so I had to downgrade.
> 
> All containers are "privileged" b/c samba NTACLs use the "security"
> namespace which requires root privileges. This seems to work for the
> AD DCs
> - I can't get the AD DCs to work in unprivileged mode.

Bit confused here, you talk about an error message 'Computer
FS3.MYDOM.COM cannot be connected' , you then you post a smb.conf but
then go on to say 'A member server fs3 w/Samba 4.7.6-Ubuntu also
privileged on the same host.'. It sounds like the smb.conf is not from
'FS3'.

By my count, you seem to running 4 hosts on the same computer, 2 DC's
and 2 Unix domain members. This is not a good idea, if something goes
wrong with the host computer, you will loose everything.

Finally, stop me if I am wrong, but doesn't zfs use ntfs4acls ?
So I think you need 'vfs_nfs4acl_xattr' instead of 'vfs_acl_xattr'

Rowland