samba - Mar 2022 - Setting permissions on AD member file server

So, this is kind of odd.

Samba member server;
Ubuntu 20.04, with Louis' Samba packages. (4.15.5)
Went through setup as described in the wiki for member servers - all seems
fine.
SeDiskOperatorPrivilege is granted to Domain Admins too.

Initially I chowned the dirs/files as root:domain admins
and chmod 0770
getfacl shows:
# file: .
# owner: root
# group: AD\\domain\040admins
user::rwx
group::rwx
other::---

However,
When I try to set permissions from a Windows 10 machine, using windows file
explorer, I get this message:

"Failed to enumerate objects in the container. Access is denied."

I'm logged into the domain on the station where I'm trying to mod
permissions as a user that's a member of "Domain Admins"

---
smb.conf from the member/file server
---
[global]
        realm = AD.SAMDOM.LOCAL
        security = ADS
        server role = member server
        server string = FileServer
        username map = /etc/samba/user.map
        workgroup = AD
        idmap config ad : range = 10000-999999
        idmap config ad : backend = rid
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        map acl inherit = Yes
        vfs objects = acl_xattr


[root-share]
        comment = root-share
        path = /abc-zfs-01/ad-shared-folders/
        read only = No

---
Any good pointers?

On Thu, 2022-03-10 at 10:43 -0800, Greg Sloop <gregs--- via samba
wrote:
> So, this is kind of odd.
> 
> Samba member server;
> Ubuntu 20.04, with Louis' Samba packages. (4.15.5)
> Went through setup as described in the wiki for member servers - all
> seems
> fine.
> SeDiskOperatorPrivilege is granted to Domain Admins too.
> 
> Initially I chowned the dirs/files as root:domain admins
> and chmod 0770
> getfacl shows:
> # file: .
> # owner: root
> # group: AD\\domain\040admins
> user::rwx
> group::rwx
> other::---
> 
> However,
> When I try to set permissions from a Windows 10 machine, using
> windows file
> explorer, I get this message:
> 
> "Failed to enumerate objects in the container. Access is denied."
> 
> I'm logged into the domain on the station where I'm trying to mod
> permissions as a user that's a member of "Domain Admins"
> 
> ---
> smb.conf from the member/file server
> ---
> [global]
>         realm = AD.SAMDOM.LOCAL
>         security = ADS
>         server role = member server
>         server string = FileServer
>         username map = /etc/samba/user.map
>         workgroup = AD
>         idmap config ad : range = 10000-999999
>         idmap config ad : backend = rid
>         idmap config * : range = 3000-7999
>         idmap config * : backend = tdb
>         map acl inherit = Yes
>         vfs objects = acl_xattr
> 
> 
> [root-share]
>         comment = root-share
>         path = /abc-zfs-01/ad-shared-folders/
>         read only = No
> 
> ---
> Any good pointers?
Try adding 'min domain uid = 0' to global and reload the config or
restart Samba

Rowland