[Samba] File/dir user permissions on Samba fileserver in DC

Rowland Penny rpenny at samba.org
Mon Mar 13 09:59:39 UTC 2017

On Mon, 13 Mar 2017 12:01:28 +0300
it at mdsdnr.ru wrote:

> Thank you for pointing me to errors. I've corrected'em (I think), so 
> smb.conf now looks like:

Can I ask if you are having problems following the Samba wiki ?
You still do not seem to have set up the smb.conf correctly, if you are
having problems following the wiki, please say so and if possible give
examples. Without feedback, we do not know of any problem areas.

Having got that out of the way, I have gone through your smb.conf and
corrected it by removing default lines. I have also added some comments:

    workgroup = WG
    security = ADS
    realm = WG.LOCAL

    #netbios name = FSRV # see [1] below

    log level = 0 vfs:1

    #idmap config MDS:backend = ad # see [2] below

    idmap config * : backend = tdb
    idmap config *:range = 2000-9999
    idmap config WG : backend = ad
    idmap config WG : range = 10000-999999
    idmap config WG : schema_mode = rfc2307 # see [3] below

    winbind nss info = rfc2307
    winbind use default domain = yes
    winbind enum users = yes # see [4] below
    winbind enum groups = yes # see [4] below
    winbind refresh tickets = yes

    max log size = 1000
    syslog = 1

    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes
    #unix password sync = yes # NO, no a thousand times NO, see [5] below

    load printers = no
    show add printer wizard = no
    disable spoolss = yes
    printcap name = /dev/null

    hide unreadable = yes # see [6]
    log writeable files on exit = yes
    deadtime = 600 # see [7]
    ea support = yes # see [8]
    #socket options = TCP_NODELAY IPTOS_LOWDELAY # see [9]

#======================= Share Definitions =======================
[q] # see [10]
     comment = File share
     path = /somepath
     read only = no
     delete readonly = yes
     strict sync = yes
     sync always = yes

     inherit permissions = Yes
     inherit owner = Yes

     veto files = /.snap/quota*/*.vmx/autorun.inf/

     valid users = +WG\all WG\admin
     admin users = +WG\it  WG\admin

     access based share enum = yes


[1] this is not strictly required, provided hostname resolution is
    set up correctly and if it isn't, you need to fix this, not Samba

[2] you have set workgroup to 'WG'

[3] this could also be 'template'

[4] you should only set these to for testing purposes

[5] You are using AD and with this, all your users must be stored in
    AD, you cannot also store them in /etc/passwd i.e, you cannot have
    the user 'fred' in AD and /etc/passwd. The same goes for groups.
[6] Do you really want to do this ? See 'man smb.conf'

[7] 10 hours ?

[8] I have never needed this

[9] You shouldn't set these any more, just rely on the kernel

[10] You will probably be better off using POSIX acls and setting access
     rights from Windows

You are using the winbind 'ad' backend, have you given your users a
unique uidNumber attribute and also given Domain Users a gidNumber
attribute ? If you haven't and want to use the 'ad' backend, you will
need to do so.

Any question, please ask.


More information about the samba mailing list