samba - May 2024 - How to set up a simple file server with full ACL support?

After 23 years answering questions here, I figure it might be time for
me to ask one. 

As mentioned here: 
https://lists.samba.org/archive/samba-technical/2024-May/138969.html I
am working with a client to improve a Go SMB client library. 

They want to manipulate ACLs on SMB, which is a very reasonable thing
to want to do.

What we had a lot of trouble with is simply setting Samba up as a
standalone fileserver able to accept arbitrary NT ACL changes. 

Our build now includes all the required support by default, and we
(think we have) followed:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Enable_Extended_ACL_Support_on_a_Unix_domain_member

However, despite connecting as root (within a docker container), we
just get ACL errors that seem to be from Samba checking and failing
against some existing (mapped) presumably ACL.   

I don't have the exact error strings to hand (was on the client's dev
box) but I've been asked to provide a working set of steps to get
arbitrary windows ACLs working on modern standalone Samba server.

Naturally, I'll do that by fixing the wiki. 

We are trying to set ACLs, even just set back the ACL we got, with
smbcacls, so that there is an example for the Go SMB client library to
match. 

Has anybody got a bulletproof set of instructions or an already worked
example for this?

(My plan B is to just set up an AD DC, as that should 'just work', I
hope!). 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

On Thu, May 23, 2024 at 09:42:53AM +1200, Andrew Bartlett via samba
wrote:
>After 23 years answering questions here, I figure it might be time for
>me to ask one.
>
>As mentioned here:
>https://lists.samba.org/archive/samba-technical/2024-May/138969.html I
>am working with a client to improve a Go SMB client library.
>
>They want to manipulate ACLs on SMB, which is a very reasonable thing
>to want to do.
>
>What we had a lot of trouble with is simply setting Samba up as a
>standalone fileserver able to accept arbitrary NT ACL changes.
> ..
>However, despite connecting as root (within a docker container), we
>just get ACL errors that seem to be from Samba checking and failing
>against some existing (mapped) presumably ACL.
>
>I don't have the exact error strings to hand (was on the client's
dev
>box) but I've been asked to provide a working set of steps to get
>arbitrary windows ACLs working on modern standalone Samba server.
My guess would be docker container issues.

Try setting up a bog-standard stand-alone fileserver (not on docker)
- no containerization, just using local users and NTLM auth.

Get ACL then set with smbcacls.

That should easily work, and the network trace should show
you what is being done.

If that fails, get a debug level 10 and start digging
for the returned error message.

This *should* be very simple. It works for me every day.