[Samba] Incorrect group name is displayed in folder permission list in Windows

Mason Schmitt mason at ftlcomputing.com
Wed Feb 12 11:16:42 UTC 2020


>
> Hi, can we start by seeing your smb.conf from the file server ?


######################################################
#                     Global Config                  #
######################################################

[global]
kerberos method = system keytab
workgroup = NAME
security = ads
realm = NAME.EXAMPLE.COM

# Logging
log file = /var/log/samba/%m.log
log level = 3

# We're using the RID method of mapping SIDs to UID/GID
idmap config NAME : range = 2000000-2999999
idmap config NAME : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb

# Winbind
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no

# Map domain admin account to local root account
# and resolve other "net rpc" issues
username map = /etc/samba/user.map
bind interfaces only = yes
interfaces = lo eth0

# Enable Windows ACL support and make ACLs maximally compatible with NTFS
ACLs.
# Beyond setting the POSIX ownership and permissions for the share
directory, all ACLs
# should be managed in Windows.  See the comment in the Shares section
below for details
# about our standard share configuration (both on the Linux/POSIX side and
on the Windows side
vfs objects = acl_xattr recycle
acl_xattr:default acl style = windows
#acl_xattr:ignore system acls = yes     # PURE EVIL!  If you value your
sanity, don't use this option
map acl inherit = yes
store dos attributes = yes

# Samba version 4.9.x enabled extended attribute support, by default.
# This should be a good thing as it enables clients to make more
intelligent decisions.
# Unfortunately, customer reported that their old Windows 7 CE data
collection device,
# doesn't like the new settings, so we have to revert this feature.
ea support = no


######################################################
#             Global Security Settings               #
######################################################

# Disable SMB1, it's too old and too insecure to be used anymore
server min protocol = SMB2

# Samba AD users will not have access to a shell on linux hosts
template shell = /bin/false

# Netbios is dead, let's make it explicit
disable netbios = yes

# Win10 clients, that have negotiated an encrypted connection,
# are not able to successfully re-connect to shares,
# after being idle for an extended period of time.
# Disabling encryption resolves this issue.
smb encrypt = off

# Hide shares from users that don't have permission to see them
access based share enum = yes


######################################################
#       Automatic creation of home directories       #
######################################################

# !!! Important SELINUX configuration !!!
# For automatic creation of home directories to work,
# you must set two selinux booleans with the following commands:
# setsebool -P samba_create_home_dirs 1
# setsebool -P samba_enable_home_dirs 1
#
# Check that the selinux booleans were correctly set
# getsebool -a | grep samba | grep home
#
# For samba to serve the home dirs, they must be labeled with the
# selinux type 'samba_share_t'
# During the installation of this server a policy was created for the
# /srv/samba/ directory, which ensures all sub-folders/files are labeled
# with samba_share_t.  Therefore, as long as the home folders are located
# under /srv/samba/ this labelling will be taken care of.
# --- End of SELINUX configuration ---

# Home directories will be created at this path with %U being replaced by
# the username
template homedir = /srv/samba/Shares/Home/%U

# This share declaration works in conjunction with a GPO
# When a user logs in for the first time, a new home folder will
# be created for them on the file server and a mapped drive (H:) will
# be created in the Windows profile on their computer.  See the samba wiki
for
# details of how to create the GPO
#
https://wiki.samba.org/index.php/User_Home_Folders#Using_a_Group_Policy_Preference
[Home]
        path = /srv/samba/Shares/Home
        comment = Share for user home dirs
        guest ok = no
        read only = no
        # Recyle bin
        recycle:repository = %U/Recycle_Bin
        recycle:versions = Yes
        recycle:keeptree = Yes
        recycle:touch = Yes
        recycle:exclude = *.tmp,~$*
        recycle:exclude_dir = %U/Recycle_Bin

######################################################
#                  Standard Shares                   #
######################################################

[Shares]
       path = /srv/samba/Shares
       comment = Parent share sets top level Windows file permission
inheritance
       guest ok = no
       read only = no

[Backup]
       path = /srv/samba/Shares/Backup
       comment = Create separate folders, with locked down permissions, for
each application
       guest ok = no
       read only = no

[FTL]
       path = /srv/samba/Shares/FTL
       comment = FTL tools and documents to help with on-site service
       guest ok = no
       read only = no

[Software]
       path = /srv/samba/Shares/Software
       comment = Software for installation via GPO
       guest ok = no
       read only = no

[Top]
       path = /srv/samba/Shares/Top
       comment = Top level file share
       guest ok = no
       read only = no
        # Recyle bin
        recycle:repository = Recycle_Bin/%U
        recycle:versions = Yes
        recycle:keeptree = Yes
        recycle:touch = Yes
        recycle:exclude = *.tmp,~$*
        recycle:exclude_dir = Recycle_Bin


More information about the samba mailing list