samba - Jan 2006 - samba menber of AD domain and ACL support question

Hi,

I'm running a file server on a Debian Sarge Server with official packaged 
samba packages from debian (3.0.14a-Debian).

This server is a member of an AD Windows 2000 domain, so kerberos and 
winbind are well configured on this computer (AD members can log on and 
so on...)

Samba shares a volumes formatted with xfs from stock debian kernel 
(2.6.8-2-386) with acl extentions activated :

[impressions]
    path = /var/smbspool/pdf/nobody
    browseable = yes
    create mode = 666
    writable = yes
    nt acl support = yes

I put some basic acls ont his share :
srvpdf:/var/smbspool/pdf# getfacl ./nobody
# file: nobody
# owner: nobody
# group: nogroup
user::rwx
user:ICSB2K+administrateur:rwx
group::rwx
group:ICSB2K+utilisa.\040du\040domaine:r-x
group:ICSB2K+technique:rwx
mask::rwx
other::rwx

So ACLs on this share reports some members should get all privileges on 
this directory.

Now let's go on a Win2k workstation an logon at Administrator... If I 
browse the share and open properties/security options :
- users are well listed, for eatch user, there absolutly no privilege 
cases marked (all cases are blank)
- if I open advanced privileges, i can see users have rights (for example 
nobody and icsb2k/administrator have all privileges activated, 
icsb/domain users have only some)
- if i try to modify privileges (i'm logged a icsb2k\administrator) I get 
a message "Unable to save privileges on this share\n access forbidden"
(axproximate translation, my windows is in french...)

my questions are :
- why get I a strange display on security option ?
- why can't I able to modify privileges via windows ?

regards,

-- 
Rico

> - why get I a strange display on security option ?
Samba has always behaved like this for me, but I'm not exactly sure
why.  If you scroll down you'll notice that 'Special Permissions' is
ticked, which is Windows' way of saying "there are permissions that
don't fit the checkboxes here."  It seems to work fine if you just
ignore that initial permissions window and use the Advanced options
only.
> - why can't I able to modify privileges via windows ?
I'm not 100% sure on this one, but I think it's because you're not
logged on as a user that Samba thinks has admin access.  You might be
logging in as "Administrator" on the Windows box, but does Samba know
this user should have admin/root access?

Cheers,
Adam.

Adam Nielsen wrote:
>> - why get I a strange display on security option ?
> 
> Samba has always behaved like this for me, but I'm not exactly sure
> why.  If you scroll down you'll notice that 'Special
Permissions' is
> ticked, which is Windows' way of saying "there are permissions
that
> don't fit the checkboxes here."  It seems to work fine if you just
> ignore that initial permissions window and use the Advanced options
> only.     
AFAIRC this is standard behaviour when using Samba.  You always need to go
to the advanced options page to set permissions.


Cheers GS