samba - May 2013 - Using Windows ACL on a samba3 share

Hello folks,

I have some directories within a samba 3.x share which I want to give granulated
security settings for various users and groups. I could use of course
"setfacl" and POSIX ACLs to accomplish that, but some of these ACL
should be also able to be set by some users. These users of course has no access
to my linux host where samba3 is running, so they only can do that by
right-clicking the directory/file and set the permissions through Windows
explorer. Unfortunately this doesn't work in our case. My filesystem where
the samba3 shares reside on is mounted with acl and xattr and I have
double-checked that. Posix ACLs work fine. But as soon as the owner of a
directory or file tries to add some other users with access on it, the change is
not applied after clicking on the button "Apply". It looks like the
windows client cannot set these security settings. My share looks like that:

[share1]
              path = /disk01/share1
admin users =  "@Domain Admins"
              read only = No
              create mask = 0775
              directory mask = 0775
              nt acl support = yes
              vfs objects = acl_xattr
              invalid users = @restricted

the command "mount" shows:

[...]
/dev/xvdb1 on /disk01 type ext4 (rw,acl,user_xattr)
[...]

What am I doing wrong, why this doesn't work? Any help appreciated.

Thanks in advance,
Lucas.

From the Samba HOWTO:


?
The net command can be used to obtain the currently supported  
capabilities for rights and privileges using this method:

root#  net rpc rights list -U root%not24get
      SeMachineAccountPrivilege  Add machines to domain
       SePrintOperatorPrivilege  Manage printers
            SeAddUsersPrivilege  Add users and groups to the domain
      SeRemoteShutdownPrivilege  Force shutdown from a remote system
        SeDiskOperatorPrivilege  Manage disk shares
              SeBackupPrivilege  Back up files and directories
             SeRestorePrivilege  Restore files and directories
       SeTakeOwnershipPrivilege  Take ownership of files or other objects

Machine account privilege is necessary to permit a Windows NT4 or  
later network client to be added to the domain. *The disk operator  
privilege is necessary to permit the user to manage share ACLs and  
file and directory ACLs for objects not owned by the user.*
?

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#id2601333