samba - Jul 2018 - Setting up a Share Using Windows ACLs

Regardless of all the tips and procedures I read in the archives, I can not
set permisisions under security tab, I get it every time:

"Remotely setting permissions on the folder at the root of a share
removes all inherited permissions from the root folder and all
subfolders.  To set permissions without removing the inherited
permissions, click No and either change the permissions on a child
folder or make the change while logged in locally" 

despite this warning when click on Yes button acces is denied and cant
escape from loop(only task manager helps)

Samba version on AD is 4.8.0 (compiled from source)
Samba version on Domain member is Samba version
4.8.2-git.30.690aa93c1892.1-SUSE-SLE_12-x86_64

I would like to point out that virtually all tests and parameters are
working properly according to SambaWiki. smb_conf.txt
<http://samba.2283325.n4.nabble.com/file/t372619/smb_conf.txt>  



--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html

On Tue, 24 Jul 2018 05:34:51 -0500 (CDT)
fret via samba <samba at lists.samba.org> wrote:
> Regardless of all the tips and procedures I read in the archives, I
> can not set permisisions under security tab, I get it every time:
> 
> "Remotely setting permissions on the folder at the root of a share
> removes all inherited permissions from the root folder and all
> subfolders.  To set permissions without removing the inherited
> permissions, click No and either change the permissions on a child
> folder or make the change while logged in locally" 
> 
> despite this warning when click on Yes button acces is denied and cant
> escape from loop(only task manager helps)
> 
> Samba version on AD is 4.8.0 (compiled from source)
> Samba version on Domain member is Samba version
> 4.8.2-git.30.690aa93c1892.1-SUSE-SLE_12-x86_64
> 
> I would like to point out that virtually all tests and parameters are
> working properly according to SambaWiki. smb_conf.txt
> <http://samba.2283325.n4.nabble.com/file/t372619/smb_conf.txt>  
Please don't do that, just post it in the post i.e.

[global]
        workgroup = TCIT
        security = ADS
        realm = TCIT.NOVOSTI.LAB
        log file = /var/log/samba/%m.log
        log level = 1

        idmap config * : backend = tdb
        idmap config * : range = 2000-9999

        idmap config TCIT:backend = ad
        idmap config TCIT:schema_mode = rfc2307
        idmap config TCIT:range = 10000-999999
        idmap config domain_name:unix_nss_info = yes

        winbind enum users = yes
        winbind enum groups = yes
        
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

        username map = /etc/samba/user.map

        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        winbind refresh tickets = Yes 

[Demo}
       path = /srv/samba/TestShare3/
       read only = no

Just a few questions:
In the 'idmap config' lines you have 'domain_name', is this what
is
actually there, or is it 'TCIT' ? 
If it isn't 'TCIT' change it to 'TCIT'

What is in the user.map ?

Is the user you are trying to connect with 'Administrator' or a member
of Domain Admins ?
If it is 'Administrator', have you given 'Administrator' a
uidNumber
attribute, if you have, remove it.
If your user is a member of Domain Admins, does Domain Admins have a
gidNumber attribute and the required privileges ?

Rowland