samba - Sep 2018 - Cannot set Windows ACL security permissions Ubuntu 18.04 LXD privileged container

I'm tying to set up a member server for serving files following the
instructions at:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.

Since I'm not an expert with log files or debugging, I need help
troubleshooting the following:

When I get to the part where I connect to the member server from the
Windows Computer Management tool, I get a long message starting with
"Computer FS3.MYDOM.COM cannot be connected. ..."

But then the tool connects anyway and lets me change the "Share
permissions" settings. I can add and delete groups here.

But when I click on the security tab I get a message "You must have read
permissions to view the properties of this object."  Other times, the tab
has displayed properly and allowed me to add groups and change permissions,
but then it won't allow me to save the changes.

Shared directory permissions:
drwxrwxrwx  2 root   KMS2\domain admins  2 Sep 11 22:40 shared/

testparm output:
# Global parameters
[global]
        dns proxy = No
        log file = /var/log/samba/log.%m
        map to guest = Bad User
        max log size = 1000
        panic action = /usr/share/samba/panic-action %d
        realm = KMS2.SAMDOM.COM (sanitized)
        security = ADS
        server role = member server
        server string = %h server (Samba, Ubuntu)
        username map = /etc/samba/user.map
        winbind refresh tickets = Yes
        workgroup = KMS2
        acl_xattr:default acl style = windows  (tried with and without -
could not tell a difference)
        acl_xattr:ignore system acls = yes     (tried with and without -
could not tell a difference)
        idmap config kms2 : range = 10000-19999
        idmap config kms2 : backend = rid
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr

[printers]
        browseable = No
        comment = All Printers
        create mask = 0700
        path = /var/spool/samba
        printable = Yes

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers

[Shared]
        path = /home/shared
        read only = No
        acl_xattr:default acl style = windows  (tried with and without -
could not tell a difference)
        acl_xattr:ignore system acls = yes  (tried with and without - could
not tell a difference)

Environment: Ubuntu 18.04 in an LXD privileged container on a Ubuntu 16.04
host
Samba Version = 4.7.6 (what ships with Ubuntu 18.04 by default)
AD DC = Samba 4.3.11 on Ubuntu 16.04 LTS inside a LXD privileged container
on the same host as above.
Second AD DC = Samba 4.7.6-Ubuntu on Ubuntu 18.04 inside a privileged
container on same host.

The underlying file system is zfs-on-linux and in all cases I set the
following zfs attributes:
xattrs=sa
aclinherit=passthrough
acltype=posix

A member server fs3 w/Samba 4.7.6-Ubuntu also privileged on the same host.
All workstations on the network are successfully joined to AD.
Windows OS = 10 1803, But RSAT is 17xx b/c the RSAT 1803 doesn't have the
DNS tools. so I had to downgrade.

All containers are "privileged" b/c samba NTACLs use the
"security"
namespace which requires root privileges. This seems to work for the AD DCs
- I can't get the AD DCs to work in unprivileged mode.

Set the permissions to drwxrwx---+ and make sure 'vfs objects = 
acl_xattr' is set in smb.conf.

Good luck

Jochen


Am 12.09.2018 um 02:14 schrieb Jonathan Kreider via
samba:
> I'm tying to set up a member server for serving files following the
> instructions at:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.
>
> Since I'm not an expert with log files or debugging, I need help
> troubleshooting the following:
>
> When I get to the part where I connect to the member server from the
> Windows Computer Management tool, I get a long message starting with
> "Computer FS3.MYDOM.COM cannot be connected. ..."
>
> But then the tool connects anyway and lets me change the "Share
> permissions" settings. I can add and delete groups here.
>
> But when I click on the security tab I get a message "You must have
read
> permissions to view the properties of this object."  Other times, the
tab
> has displayed properly and allowed me to add groups and change permissions,
> but then it won't allow me to save the changes.
>
> Shared directory permissions:
> drwxrwxrwx  2 root   KMS2\domain admins  2 Sep 11 22:40 shared/
>
> testparm output:
> # Global parameters
> [global]
>          dns proxy = No
>          log file = /var/log/samba/log.%m
>          map to guest = Bad User
>          max log size = 1000
>          panic action = /usr/share/samba/panic-action %d
>          realm = KMS2.SAMDOM.COM (sanitized)
>          security = ADS
>          server role = member server
>          server string = %h server (Samba, Ubuntu)
>          username map = /etc/samba/user.map
>          winbind refresh tickets = Yes
>          workgroup = KMS2
>          acl_xattr:default acl style = windows  (tried with and without -
> could not tell a difference)
>          acl_xattr:ignore system acls = yes     (tried with and without -
> could not tell a difference)
>          idmap config kms2 : range = 10000-19999
>          idmap config kms2 : backend = rid
>          idmap config * : range = 3000-7999
>          idmap config * : backend = tdb
>          map acl inherit = Yes
>          store dos attributes = Yes
>          vfs objects = acl_xattr
>
> [printers]
>          browseable = No
>          comment = All Printers
>          create mask = 0700
>          path = /var/spool/samba
>          printable = Yes
>
> [print$]
>          comment = Printer Drivers
>          path = /var/lib/samba/printers
>
> [Shared]
>          path = /home/shared
>          read only = No
>          acl_xattr:default acl style = windows  (tried with and without -
> could not tell a difference)
>          acl_xattr:ignore system acls = yes  (tried with and without -
could
> not tell a difference)
>
> Environment: Ubuntu 18.04 in an LXD privileged container on a Ubuntu 16.04
> host
> Samba Version = 4.7.6 (what ships with Ubuntu 18.04 by default)
> AD DC = Samba 4.3.11 on Ubuntu 16.04 LTS inside a LXD privileged container
> on the same host as above.
> Second AD DC = Samba 4.7.6-Ubuntu on Ubuntu 18.04 inside a privileged
> container on same host.
>
> The underlying file system is zfs-on-linux and in all cases I set the
> following zfs attributes:
> xattrs=sa
> aclinherit=passthrough
> acltype=posix
>
> A member server fs3 w/Samba 4.7.6-Ubuntu also privileged on the same host.
> All workstations on the network are successfully joined to AD.
> Windows OS = 10 1803, But RSAT is 17xx b/c the RSAT 1803 doesn't have
the
> DNS tools. so I had to downgrade.
>
> All containers are "privileged" b/c samba NTACLs use the
"security"
> namespace which requires root privileges. This seems to work for the AD DCs
> - I can't get the AD DCs to work in unprivileged mode.

On Tue, 11 Sep 2018 20:14:58 -0400
Jonathan Kreider via samba <samba at lists.samba.org> wrote:
> I'm tying to set up a member server for serving files following the
> instructions at:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.
> 
> Since I'm not an expert with log files or debugging, I need help
> troubleshooting the following:
> 
> When I get to the part where I connect to the member server from the
> Windows Computer Management tool, I get a long message starting with
> "Computer FS3.MYDOM.COM cannot be connected. ..."
> 
> But then the tool connects anyway and lets me change the "Share
> permissions" settings. I can add and delete groups here.
> 
> But when I click on the security tab I get a message "You must have
> read permissions to view the properties of this object."  Other
> times, the tab has displayed properly and allowed me to add groups
> and change permissions, but then it won't allow me to save the
> changes.
> 
> Shared directory permissions:
> drwxrwxrwx  2 root   KMS2\domain admins  2 Sep 11 22:40 shared/
> 
> testparm output:
> # Global parameters
> [global]
>         dns proxy = No
>         log file = /var/log/samba/log.%m
>         map to guest = Bad User
>         max log size = 1000
>         panic action = /usr/share/samba/panic-action %d
>         realm = KMS2.SAMDOM.COM (sanitized)
>         security = ADS
>         server role = member server
>         server string = %h server (Samba, Ubuntu)
>         username map = /etc/samba/user.map
>         winbind refresh tickets = Yes
>         workgroup = KMS2
>         acl_xattr:default acl style = windows  (tried with and
> without - could not tell a difference)
>         acl_xattr:ignore system acls = yes     (tried with and
> without - could not tell a difference)
>         idmap config kms2 : range = 10000-19999
>         idmap config kms2 : backend = rid
>         idmap config * : range = 3000-7999
>         idmap config * : backend = tdb
>         map acl inherit = Yes
>         store dos attributes = Yes
>         vfs objects = acl_xattr
> 
> [printers]
>         browseable = No
>         comment = All Printers
>         create mask = 0700
>         path = /var/spool/samba
>         printable = Yes
> 
> [print$]
>         comment = Printer Drivers
>         path = /var/lib/samba/printers
> 
> [Shared]
>         path = /home/shared
>         read only = No
>         acl_xattr:default acl style = windows  (tried with and
> without - could not tell a difference)
>         acl_xattr:ignore system acls = yes  (tried with and without -
> could not tell a difference)
> 
> Environment: Ubuntu 18.04 in an LXD privileged container on a Ubuntu
> 16.04 host
> Samba Version = 4.7.6 (what ships with Ubuntu 18.04 by default)
> AD DC = Samba 4.3.11 on Ubuntu 16.04 LTS inside a LXD privileged
> container on the same host as above.
> Second AD DC = Samba 4.7.6-Ubuntu on Ubuntu 18.04 inside a privileged
> container on same host.
> 
> The underlying file system is zfs-on-linux and in all cases I set the
> following zfs attributes:
> xattrs=sa
> aclinherit=passthrough
> acltype=posix
> 
> A member server fs3 w/Samba 4.7.6-Ubuntu also privileged on the same
> host. All workstations on the network are successfully joined to AD.
> Windows OS = 10 1803, But RSAT is 17xx b/c the RSAT 1803 doesn't have
> the DNS tools. so I had to downgrade.
> 
> All containers are "privileged" b/c samba NTACLs use the
"security"
> namespace which requires root privileges. This seems to work for the
> AD DCs
> - I can't get the AD DCs to work in unprivileged mode.
Bit confused here, you talk about an error message 'Computer
FS3.MYDOM.COM cannot be connected' , you then you post a smb.conf but
then go on to say 'A member server fs3 w/Samba 4.7.6-Ubuntu also
privileged on the same host.'. It sounds like the smb.conf is not from
'FS3'.

By my count, you seem to running 4 hosts on the same computer, 2 DC's
and 2 Unix domain members. This is not a good idea, if something goes
wrong with the host computer, you will loose everything.

Finally, stop me if I am wrong, but doesn't zfs use ntfs4acls ?
So I think you need 'vfs_nfs4acl_xattr' instead of
'vfs_acl_xattr'

Rowland