On 18/06/2023 10:44, Anders ?stling via samba wrote:> Setting "min domain uid = 0" and re-enabling user.map did
actually work.
> Thank you for that.
> However, the other ACL message (on the sending side) I mentioned still
> occurs with user mapping.
>
> Error 1314 (0x00000522) Copying NTFS security to destination X:\
> A required privilege is not held by the client
Try reading this:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
It is possible the privilege referred to there is what you require, but
if not, this is a list of the privileges I know:
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
>
> So to do some more tests, I removed the /COPYALL which includes ACL's
> (actually the Security descriptor, but I guess that is the same) and
> replaced it with /COPY:DAT
> This did actually solve the original problem (full replication). So now I
> asked myself, does this mean that ACL's are not copied at all?
> To test this, I created a new source file with an explicit ACL and
> restarted replication /COPY:DAT. That did include the new file, but the ACL
> was missing on the Samba server (verified with getfacl)
It would be better to use 'samba-tool acl get <file> --as-sddl'
Rowland