samba - Feb 2014 - Samba 3 to 4 AD migration - extensive permissions problems

Finally biting the bullet and upgrading home machines to Windows 7 but
experiencing many problems.
Server is a Debian Lenny, old Samba 3.2.5, new Samba 4.1.4 built from
source. My setup has been doing roaming profiles for XP since 2003 or so
with almost no changes. I want to keep roaming profiles going plus do some
folder redirection (Desktop (my wife doesn't believe in file shares for
pictures) and AppData (I find new ways to hate iTunes every day)
particularly). Took a while to find that my passdb was still smbpasswd and
the passdb had the default system accounts. Got the smbpasswd converted
over, user accounts in place, and the new Win7 machine was able to join the
domain.
I was able to set the *share* permissions per the "Setting up a home
share"
without issue. However, attempting to set any permissions to the files or
directories fails with "Access denied". I have tried all manner of
unix
modes on the files/directories to no avail. I made a new directory for
redirected folders and that one can be used properly. So I tried to copy
the acls (getfacl /home/redir | setfact --set=- /home) but that fails with
setfacl: Option -s: Invalid argument near character 1.
The permissions problems exist across all my file shares. I did grant
SeDiskOperatorPrivilege to domain\Administrators, then also
domain\Administrator and domain\root just in case. Both Administrator and
root are in the Domain Admins group. I can access the policy and users
nicely through the RSAT mmc plugins.

Is there a baseline permission/acl/mode/attr that I need to lay down across
the entire filesystem? I've worked on this for a couple of days, so I've
tried every stupid idea I could think up. Nothing particularly useful has
come up in my searches.

Thanks!

smb.conf:

# Global parameters
[global]
        workgroup = ODDWORLD
        realm = oddworld.org
        netbios name = ROHAN
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        dns forwarder = [ISP'S DNS SERVER]
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        interfaces = 192.168.4.1/24 127.0.0.1/24

[netlogon]
        path = /home/netlogon
        read only = No

[sysvol]
        path = /usr/local/samba4/var/locks/sysvol
        read only = No
[home]
   comment= Home master
   path = /home

[backups]
   comment= Backup space, software
   path = /exports/bigdisk/backup

[Profiles]
    path = /home/profiles
    read only = no

[Redirected]
    path = /home/redir
#    browseable = no
    read only = no


rohan:/home# getfacl /home/redir
getfacl: Removing leading '/' from absolute path names
# file: home/redir
# owner: root
# group: root
user::rwx
user:root:rwx                   #effective:---
user:3000000:rwx                #effective:---
user:3000002:rwx                #effective:---
user:3000003:r-x                #effective:---
group::---
group:root:---
group:3000000:rwx               #effective:---
group:3000002:rwx               #effective:---
group:3000003:r-x               #effective:---
mask::---
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000002:rwx
default:group::---
default:group:root:---
default:group:3000000:rwx
default:group:3000002:rwx
default:mask::rwx
default:other::---

rohan:/home# getfacl .
# file: .
# owner: root
# group: root
user::rwx
user:3000000:rwx                #effective:r-x
user:3000002:rwx                #effective:r-x
user:3000003:rwx                #effective:r-x
group::r-x
mask::r-x
other::r-x

Have you missed this guide?
https://wiki.samba.org/index.php/Setup_and_configure_file_shares

     vfs objects = acl_xattr
     map acl inherit = Yes
     store dos attributes = Yes



On Sun, Feb 9, 2014 at 7:55 AM, Jason Ostermann <oddball at
oddworld.org>wrote:
> Finally biting the bullet and upgrading home machines to Windows 7 but
> experiencing many problems.
> Server is a Debian Lenny, old Samba 3.2.5, new Samba 4.1.4 built from
> source. My setup has been doing roaming profiles for XP since 2003 or so
> with almost no changes. I want to keep roaming profiles going plus do some
> folder redirection (Desktop (my wife doesn't believe in file shares for
> pictures) and AppData (I find new ways to hate iTunes every day)
> particularly). Took a while to find that my passdb was still smbpasswd and
> the passdb had the default system accounts. Got the smbpasswd converted
> over, user accounts in place, and the new Win7 machine was able to join the
> domain.
> I was able to set the *share* permissions per the "Setting up a home
share"
> without issue. However, attempting to set any permissions to the files or
> directories fails with "Access denied". I have tried all manner
of unix
> modes on the files/directories to no avail. I made a new directory for
> redirected folders and that one can be used properly. So I tried to copy
> the acls (getfacl /home/redir | setfact --set=- /home) but that fails with
> setfacl: Option -s: Invalid argument near character 1.
> The permissions problems exist across all my file shares. I did grant
> SeDiskOperatorPrivilege to domain\Administrators, then also
> domain\Administrator and domain\root just in case. Both Administrator and
> root are in the Domain Admins group. I can access the policy and users
> nicely through the RSAT mmc plugins.
>
> Is there a baseline permission/acl/mode/attr that I need to lay down across
> the entire filesystem? I've worked on this for a couple of days, so
I've
> tried every stupid idea I could think up. Nothing particularly useful has
> come up in my searches.
>
> Thanks!
>
> smb.conf:
>
> # Global parameters
> [global]
>         workgroup = ODDWORLD
>         realm = oddworld.org
>         netbios name = ROHAN
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         dns forwarder = [ISP'S DNS SERVER]
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         interfaces = 192.168.4.1/24 127.0.0.1/24
>
> [netlogon]
>         path = /home/netlogon
>         read only = No
>
> [sysvol]
>         path = /usr/local/samba4/var/locks/sysvol
>         read only = No
> [home]
>    comment= Home master
>    path = /home
>
> [backups]
>    comment= Backup space, software
>    path = /exports/bigdisk/backup
>
> [Profiles]
>     path = /home/profiles
>     read only = no
>
> [Redirected]
>     path = /home/redir
> #    browseable = no
>     read only = no
>
>
> rohan:/home# getfacl /home/redir
> getfacl: Removing leading '/' from absolute path names
> # file: home/redir
> # owner: root
> # group: root
> user::rwx
> user:root:rwx                   #effective:---
> user:3000000:rwx                #effective:---
> user:3000002:rwx                #effective:---
> user:3000003:r-x                #effective:---
> group::---
> group:root:---
> group:3000000:rwx               #effective:---
> group:3000002:rwx               #effective:---
> group:3000003:r-x               #effective:---
> mask::---
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000002:rwx
> default:group::---
> default:group:root:---
> default:group:3000000:rwx
> default:group:3000002:rwx
> default:mask::rwx
> default:other::---
>
> rohan:/home# getfacl .
> # file: .
> # owner: root
> # group: root
> user::rwx
> user:3000000:rwx                #effective:r-x
> user:3000002:rwx                #effective:r-x
> user:3000003:rwx                #effective:r-x
> group::r-x
> mask::r-x
> other::r-x
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>