A small group of us have been trying to get our Ubuntu servers fully integrated into AD with sssd and Samba. We have slowly chipped away at the issues. We believe we are left with one major issue: Windows cannot set ACLs through Samba. The Windows permission dialog seems to work, but when you click Apply they vanish, and getfacl on Ubuntu shows they were not applied.
The host is Ubuntu 16.04.2, up to date as of today, so sssd 1.13.4-1ubuntu1.1 and Samba 2:4.3.11+dfsg-0ubuntu0.16.04.3.
Our AD is set up with OU.AD3.UCDAVIS.EDU as a child domain in the same forest as the parent domain, AD3.UCDAVIS.EDU, with users in AD3.UCDAVIS.EDU and computers and groups in OU.AD3.UCDAVIS.EDU.
The sssd part seems to be setup correctly. We can login via SSH and auth correctly with Samba. Windows honors the ACLs that are set on the Ubuntu side, but setting ACLs on Windows fails to actually apply. The Samba config is attached.
[storage] is on ZFS with: root@phys-adtest:~# zfs get all storage | grep acl storage aclinherit restricted local storage acltype posixacl local
And [storage2] is on ext4 with the user_xattr mount option added.
The behavior, where ACLs vanish after clicking Apply in Windows is the same with both of them.
I had previously found a thread with the issue on a Samba mailing list indicating it "must be a sssd issue because it works with winbind", but can't find the thread now.
Anyone have any clues as to what may be going wrong or what config options I should check? I can post debug logs if it would help.
Thanks, Omen
sssd-users@lists.fedorahosted.org