samba - Apr 2015 - Unable to edit permissions on member server share, users don't have access.

Greetings, All!

The server works somewhat ok', it correctly pull and unwind the data from
AD,
members do login properly remotely and localle, but this one share gives me
nuts.
No members can access it, only domain admins, despite security tab in Windows
claiming that "Everyone" have "read and execute" access to
the share and all
files and folders inside it.

Again, this is a member server, not DC.
Any specific ACLs I should add to it?

Also, a bit OT, but where exactly I should add "barrier=1" ? To the
share
mount or to the mount that contain TDB files?

# mount | grep /nfs
/dev/md2 on /nfs type ext3 (rw,relatime,user_xattr,acl,barrier=1)

# getfacl /nfs{,/netlogon}

# file: nfs
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

# file: nfs/netlogon
# owner: anrdaemon
# group: domain\040admins
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::r-x

# samba-tool testparm --suppress-prompt
# Global parameters
[global]
        dos charset = CP866
        workgroup = EXAMPLE
        realm = ADS.EXAMPLE.LAN
        netbios name = SERVER
        interfaces = lo, 192.168.35.0/24
        bind interfaces only = Yes
        security = ADS
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        printcap name = cups
        wins server = 127.0.0.1
        wins support = Yes
        preload = homes
        panic action = /usr/share/samba/panic-action %d
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        dns forwarder = 192.168.35.1
        idmap config example : range = 500-99999
        idmap config example : schema_mode = rfc2307
        idmap config example : backend = ad
        idmap config * : range = 100000-100999
        idmap config * : schema_mode = rfc2307
        idmap config * : backend = tdb
        idmap_ldb:use rfc2307 = yes
        map acl inherit = Yes
        printing = cups
        store dos attributes = Yes
        vfs objects = acl_xattr

[netlogon]
        comment = Network Logon Service
        path = /nfs/netlogon
        csc policy = disable



-- 
With best regards,
Andrey Repin
Saturday, April 18, 2015 03:29:22

Sorry for my terrible english...