[Samba] Incorrect group name is displayed in folder permission list in Windows
Mason Schmitt
mason at ftlcomputing.com
Wed Feb 12 11:16:42 UTC 2020
>
> Hi, can we start by seeing your smb.conf from the file server ?
######################################################
# Global Config #
######################################################
[global]
kerberos method = system keytab
workgroup = NAME
security = ads
realm = NAME.EXAMPLE.COM
# Logging
log file = /var/log/samba/%m.log
log level = 3
# We're using the RID method of mapping SIDs to UID/GID
idmap config NAME : range = 2000000-2999999
idmap config NAME : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
# Winbind
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
# Map domain admin account to local root account
# and resolve other "net rpc" issues
username map = /etc/samba/user.map
bind interfaces only = yes
interfaces = lo eth0
# Enable Windows ACL support and make ACLs maximally compatible with NTFS
ACLs.
# Beyond setting the POSIX ownership and permissions for the share
directory, all ACLs
# should be managed in Windows. See the comment in the Shares section
below for details
# about our standard share configuration (both on the Linux/POSIX side and
on the Windows side
vfs objects = acl_xattr recycle
acl_xattr:default acl style = windows
#acl_xattr:ignore system acls = yes # PURE EVIL! If you value your
sanity, don't use this option
map acl inherit = yes
store dos attributes = yes
# Samba version 4.9.x enabled extended attribute support, by default.
# This should be a good thing as it enables clients to make more
intelligent decisions.
# Unfortunately, customer reported that their old Windows 7 CE data
collection device,
# doesn't like the new settings, so we have to revert this feature.
ea support = no
######################################################
# Global Security Settings #
######################################################
# Disable SMB1, it's too old and too insecure to be used anymore
server min protocol = SMB2
# Samba AD users will not have access to a shell on linux hosts
template shell = /bin/false
# Netbios is dead, let's make it explicit
disable netbios = yes
# Win10 clients, that have negotiated an encrypted connection,
# are not able to successfully re-connect to shares,
# after being idle for an extended period of time.
# Disabling encryption resolves this issue.
smb encrypt = off
# Hide shares from users that don't have permission to see them
access based share enum = yes
######################################################
# Automatic creation of home directories #
######################################################
# !!! Important SELINUX configuration !!!
# For automatic creation of home directories to work,
# you must set two selinux booleans with the following commands:
# setsebool -P samba_create_home_dirs 1
# setsebool -P samba_enable_home_dirs 1
#
# Check that the selinux booleans were correctly set
# getsebool -a | grep samba | grep home
#
# For samba to serve the home dirs, they must be labeled with the
# selinux type 'samba_share_t'
# During the installation of this server a policy was created for the
# /srv/samba/ directory, which ensures all sub-folders/files are labeled
# with samba_share_t. Therefore, as long as the home folders are located
# under /srv/samba/ this labelling will be taken care of.
# --- End of SELINUX configuration ---
# Home directories will be created at this path with %U being replaced by
# the username
template homedir = /srv/samba/Shares/Home/%U
# This share declaration works in conjunction with a GPO
# When a user logs in for the first time, a new home folder will
# be created for them on the file server and a mapped drive (H:) will
# be created in the Windows profile on their computer. See the samba wiki
for
# details of how to create the GPO
#
https://wiki.samba.org/index.php/User_Home_Folders#Using_a_Group_Policy_Preference
[Home]
path = /srv/samba/Shares/Home
comment = Share for user home dirs
guest ok = no
read only = no
# Recyle bin
recycle:repository = %U/Recycle_Bin
recycle:versions = Yes
recycle:keeptree = Yes
recycle:touch = Yes
recycle:exclude = *.tmp,~$*
recycle:exclude_dir = %U/Recycle_Bin
######################################################
# Standard Shares #
######################################################
[Shares]
path = /srv/samba/Shares
comment = Parent share sets top level Windows file permission
inheritance
guest ok = no
read only = no
[Backup]
path = /srv/samba/Shares/Backup
comment = Create separate folders, with locked down permissions, for
each application
guest ok = no
read only = no
[FTL]
path = /srv/samba/Shares/FTL
comment = FTL tools and documents to help with on-site service
guest ok = no
read only = no
[Software]
path = /srv/samba/Shares/Software
comment = Software for installation via GPO
guest ok = no
read only = no
[Top]
path = /srv/samba/Shares/Top
comment = Top level file share
guest ok = no
read only = no
# Recyle bin
recycle:repository = Recycle_Bin/%U
recycle:versions = Yes
recycle:keeptree = Yes
recycle:touch = Yes
recycle:exclude = *.tmp,~$*
recycle:exclude_dir = Recycle_Bin
More information about the samba
mailing list