samba - Apr 2018 - no attributes after following "Setting up a Share Using Windows ACLs"

Hi, i have setup an ad dc with samba 4.8, and then rigorously followed wiki
tutorial at :
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
However, when following the last part (File System ACLs in the Back End), I
don't get
the expected results :

[root at mydc ~]# getfattr -d /srv/samba/Demo/
doesn't yield anything and

getfacl /srv/samba/Demo/
getfacl : suppression du premier « / » des noms de chemins absolus
# file: srv/samba/Demo/
# owner: root
# group: SAMDOM\134domain\040admins
user::rwx
user:root:rwx
user:3000004:rwx
group::rwx
group:users:rwx
group:SAMDOM\134domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000004:rwx
default:group::---
default:group:users:rwx
default:group:SAMDOM\134domain\040admins:rwx
default:mask::rwx
default:other::---

Also, if I create a folder in the share after logging as a regular user :
[root at mydc ~]# getfattr -d /srv/samba/Demo/Hello/
getfattr: Suppression des « / » en tête des chemins absolus
# file: srv/samba/Demo/Hello/
user.DOSATTRIB=0sMHgxMAAAAwADAAAAEQAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN/KVn2Y39MBAAAAAAAAAAA
[root at mydc ~]# ls -al /srv/samba/Demo/
total 8
drwxrwx---+ 3 root    SAMDOM\domain admins 19 29 avr 11:00 .
drwxr-xr-x. 3 root    root                     18 29 avr 10:10 ..
drwxrwx---+ 2 3000000 users                     6 29 avr 11:00 Hello

I don't know the consequences of those differences from a security point of
view, why I have this DOSATTR instead of SAMBA_PAI...

On Sun, 29 Apr 2018 11:05:16 +0200
Lapin Blanc via samba <samba at lists.samba.org> wrote:
> Hi, i have setup an ad dc with samba 4.8, and then rigorously
> followed wiki tutorial at :
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> However, when following the last part (File System ACLs in the Back
> End), I don't get
> the expected results :
> 
> [root at mydc ~]# getfattr -d /srv/samba/Demo/
> doesn't yield anything
There is very good reason why you didn't get anything ;-)
The wiki page is wrong, it should be:

getfattr -n security.NTACL -d /srv/samba/Demo/

Which should produce something like this:

getfattr: Removing leading '/' from absolute path
names # file: srv/samba/Demo/
security.NTACL=0sBAAEAAAAAgAEAAIAAQC4zK0lHchKFvwXwbPR/h8P8sXMj5dNIT5QQuWsYwO3RAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsAEbGxuGu39MBuiZRk2pYxeL5ZWc4au0ikqRAk53MkjVd2b4quyk2WwcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEABJy0AAAA0AAAAAAAAADsAAAAAQUAAAAAAAUVAAAASSVmaZneO8cxOHk/9AEAAAEFAAAAAAAFFQAAAEklZmmZ3jvHMTh5P0oIAAACAMQABwAAAAALFACpABIAAQEAAAAAAAEAAAAAAAAUAAAAEAABAQAAAAAAAQAAAAAACxQA/wEfAAEBAAAAAAADAAAAAAALFACpABIAAQEAAAAAAAMBAAAAAAMkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT9KCAAAAAAkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT/0AQAAAAMkAL8BEwABBQAAAAAABRUAAABJJWZpmd47xzE4eT8BAgAA

Which is as clear as mud, so to get it anywhere near readable, try this:

samba-tool ntacl get /srv/samba/Demo --as-sddl

Which will get you this:

O:LAG:S-1-5-21-1768301897-3342589593-1064908849-2122D:PAI(A;OICIIO;0x001200a9;;;WD)(A;;0x00100000;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;S-1-5-21-1768301897-3342589593-1064908849-2122)(A;;0x001f01ff;;;LA)(A;OICI;0x001301bf;;;DU)

Rowland