Thank you very much for the report @rolf. It seems you hit a “regression bug” caused by this fix
Loading the libwbclient library from sssd (instead of the one from Samba) fixes the ACLs management but (as the RHEL7 docs says) breaks the NTLM and NetBIOS support. Only kerberos auth works with it.
The workaround to Rolf’s problem is reverting the bugfix#5142 effects with the following commands:
alternatives --set libwbclient.so.0.12-64 /usr/lib64/samba/wbclient/libwbclient.so.0.12
systemctl restart smb
After these commands, ACLs can’t be set from Windows Pro workstations.
To show the current settings
alternatives --display libwbclient.so.0.12-64
Now that we’re aware of this limitation we must decide what to do. I see the following alternatives
- drop sssd libraries for samba and configure winbind
- turn this bug into a feature! Implement a switch in server-manager to choose what scenario NethServer must support: a) an AD domain where all clients are Kerberos clients (Win Pro), with full ACLs support, b) an AD domain with mixed clients (Home/Pro, NTLM/Kerberos) with the limitation on ACLs
The solution 1 is a big revolution in our configuration and I’d prefer not considering it.
The solution 2 is actually let the sysadmin to choose between living with the limitation on ACLs to support legacy clients, or support only Win Pro and fully leverage the upstream solution based on sssd.
What do you think? /cc @dev_team @quality_team