[Samba] ACL Problems with Samba and ADS Integration

[Mike Theory]

I am running a Samba Box as a Domain Member in a Windows ADS Domain (Windows 
Server 2003). The Box has joined the ADS domain and the kerberos authentication 
works, I can see "smbd" processes running with AD user accounts.
But I can not set ACLs on the directories or the files located on the share. If 
I change them using Windows Explorer, they either will be ignored by samba, or 
I get the Message:
Unable to save Permission Changes on [Directory]
The parameter is incorrect
This message comes if I want to grant "Full Control" permissions on files or 
directories.
I am not the in depth pro configuring samba, so maybe I did some configuration 
mistakes. I read about an ACL patch for samba. I did not build samba from the 
sources, I installed the packages and updates supplied by the OpenSUSE 11.3 
distro.

My smb.conf file looks like this:
------------------------------------------------
[global]
        workgroup = [MyDomain]
        security = ADS
        realm = [My.Kerberos.Realm]
        password server = pdc.emulator.at.my.domain
        server string = %L server (OpenSUSE, Samba)
        dns proxy = No
        disable spoolss = Yes
        show add printer wizard = No
        map to guest = Bad User
        domain logons = No
        domain master = No
        local master = No
        netbios name = [ThisServersName]
        wins support = No
        client use spnego = Yes
        idmap uid = 15000 - 25000
        idmap gid = 15000 - 25000
        template homedir = /home/%D/%U
        template shell = /bin/bash
        usershare allow guests = No
        winbind use default domain = Yes
        winbind refresh tickets = Yes
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind nested groups = Yes
        acl group control = Yes
        acl map full control = True
        ntlm auth = No
        lanman auth = No
        interfaces = bond0
        log level = 3 acls:5 winbind:5

[groups]
        comment = All groups
        path = /raid
        read only = No
        inherit acls = Yes
        force directory security mode = 0770
        admin users = [MyDomain]\[DelegatedAdminUser]
        hide dot files = Yes
        hide unreadable = Yes
------------------------------------------------

Can anyone figure out where the problem is. Do I need to compile from source 
and include some patches, or is the configuration the problem.
I did no group or user bindings with the "net" command.

Best Regards, Mike



      
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba