[Samba] Client station file permission behavior changes after a week or so

[Rowland penny]

On 25/02/2020 00:46, Eric via samba wrote:
> Yes, I didn't even look to verify my fileserver is a DC. I must have debated
> a few times about the choice and forgot my last decision when installing.
>
> I know it's not recommended to run a fileserver on an AD DC, but hopefully
> you can still offer some advice on troubleshooting.
>
OK, if they are as on disk, who added all the rubbish lines that, in my 
opinion, have no place in a Samba AD DC smb.conf ?

Try this smb.conf:

[global]
netbios name = FS01
realm = KIDDLAW.LAN
server role = active directory domain controller
server services = -dns
workgroup = KIDDLAW
server string = Univention Corporate Server

log level = 1
logging = file
tls keyfile = /etc/univention/ssl/FS01.kiddlaw.lan/private.key
tls certfile = /etc/univention/ssl/FS01.kiddlaw.lan/cert.pem
tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
ldap server require strong auth = allow_sasl_over_tls

max open files = 32808
interfaces = lo ens3
bind interfaces only = yes

template shell = /bin/bash
template homedir = /home/%D-%U

load printers = yes
printing = cups
printcap name = cups
spoolss: architecture = Windows x64
max xmit = 65535

[netlogon]
comment = Domain logon service
path = /var/lib/samba/sysvol/kiddlaw.lan/scripts
read only = no

[sysvol]
path = /var/lib/samba/sysvol
read only = no

[homes]
comment = Heimatverzeichnisse
hide files = /windows-profiles/
browsable = no
read only = no
create mask = 0700
directory mask = 0700

[printers]
comment = Drucker
browseable = no
path = /tmp
printable = yes
create mode = 0700

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
read only = no

[sharedData]
path = /srv/shares/sharedData
read only = no
hide unreadable = yes
veto files = /.Trashes/._*/.DS_Store/

Then read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

It is the only way you can use a DC as a fileserver.

Rowland