[Samba] Incorrect group name is displayed in folder permission list in Windows
Rowland penny
rpenny at samba.org
Wed Feb 12 11:42:00 UTC 2020
On 12/02/2020 11:16, Mason Schmitt wrote:
>
> Hi, can we start by seeing your smb.conf from the file server ?
>
>
> ######################################################
> # Global Config #
> ######################################################
>
> [global]
> kerberos method = system keytab
> workgroup = NAME
> security = ads
> realm = NAME.EXAMPLE.COM <http://NAME.EXAMPLE.COM>
>
> # Logging
> log file = /var/log/samba/%m.log
> log level = 3
>
> # We're using the RID method of mapping SIDs to UID/GID
> idmap config NAME : range = 2000000-2999999
> idmap config NAME : backend = rid
> idmap config * : range = 10000-999999
> idmap config * : backend = tdb
>
> # Winbind
> winbind use default domain = no
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
>
> # Map domain admin account to local root account
> # and resolve other "net rpc" issues
> username map = /etc/samba/user.map
> bind interfaces only = yes
> interfaces = lo eth0
>
> # Enable Windows ACL support and make ACLs maximally compatible with
> NTFS ACLs.
> # Beyond setting the POSIX ownership and permissions for the share
> directory, all ACLs
> # should be managed in Windows. See the comment in the Shares section
> below for details
> # about our standard share configuration (both on the Linux/POSIX side
> and on the Windows side
> vfs objects = acl_xattr recycle
> acl_xattr:default acl style = windows
> #acl_xattr:ignore system acls = yes # PURE EVIL! If you value
> your sanity, don't use this option
> map acl inherit = yes
> store dos attributes = yes
>
> # Samba version 4.9.x enabled extended attribute support, by default.
> # This should be a good thing as it enables clients to make more
> intelligent decisions.
> # Unfortunately, customer reported that their old Windows 7 CE data
> collection device,
> # doesn't like the new settings, so we have to revert this feature.
> ea support = no
>
>
> ######################################################
> # Global Security Settings #
> ######################################################
>
> # Disable SMB1, it's too old and too insecure to be used anymore
> server min protocol = SMB2
>
> # Samba AD users will not have access to a shell on linux hosts
> template shell = /bin/false
>
> # Netbios is dead, let's make it explicit
> disable netbios = yes
>
> # Win10 clients, that have negotiated an encrypted connection,
> # are not able to successfully re-connect to shares,
> # after being idle for an extended period of time.
> # Disabling encryption resolves this issue.
> smb encrypt = off
>
> # Hide shares from users that don't have permission to see them
> access based share enum = yes
>
>
> ######################################################
> # Automatic creation of home directories #
> ######################################################
>
> # !!! Important SELINUX configuration !!!
> # For automatic creation of home directories to work,
> # you must set two selinux booleans with the following commands:
> # setsebool -P samba_create_home_dirs 1
> # setsebool -P samba_enable_home_dirs 1
> #
> # Check that the selinux booleans were correctly set
> # getsebool -a | grep samba | grep home
> #
> # For samba to serve the home dirs, they must be labeled with the
> # selinux type 'samba_share_t'
> # During the installation of this server a policy was created for the
> # /srv/samba/ directory, which ensures all sub-folders/files are labeled
> # with samba_share_t. Therefore, as long as the home folders are located
> # under /srv/samba/ this labelling will be taken care of.
> # --- End of SELINUX configuration ---
>
> # Home directories will be created at this path with %U being replaced by
> # the username
> template homedir = /srv/samba/Shares/Home/%U
>
> # This share declaration works in conjunction with a GPO
> # When a user logs in for the first time, a new home folder will
> # be created for them on the file server and a mapped drive (H:) will
> # be created in the Windows profile on their computer. See the samba
> wiki for
> # details of how to create the GPO
> #
> https://wiki.samba.org/index.php/User_Home_Folders#Using_a_Group_Policy_Preference
> [Home]
> path = /srv/samba/Shares/Home
> comment = Share for user home dirs
> guest ok = no
> read only = no
> # Recyle bin
> recycle:repository = %U/Recycle_Bin
> recycle:versions = Yes
> recycle:keeptree = Yes
> recycle:touch = Yes
> recycle:exclude = *.tmp,~$*
> recycle:exclude_dir = %U/Recycle_Bin
>
> ######################################################
> # Standard Shares #
> ######################################################
>
> [Shares]
> path = /srv/samba/Shares
> comment = Parent share sets top level Windows file permission
> inheritance
> guest ok = no
> read only = no
>
> [Backup]
> path = /srv/samba/Shares/Backup
> comment = Create separate folders, with locked down
> permissions, for each application
> guest ok = no
> read only = no
>
> [FTL]
> path = /srv/samba/Shares/FTL
> comment = FTL tools and documents to help with on-site service
> guest ok = no
> read only = no
>
> [Software]
> path = /srv/samba/Shares/Software
> comment = Software for installation via GPO
> guest ok = no
> read only = no
>
> [Top]
> path = /srv/samba/Shares/Top
> comment = Top level file share
> guest ok = no
> read only = no
> # Recyle bin
> recycle:repository = Recycle_Bin/%U
> recycle:versions = Yes
> recycle:keeptree = Yes
> recycle:touch = Yes
> recycle:exclude = *.tmp,~$*
> recycle:exclude_dir = Recycle_Bin
What is in the username map ?
Rowland
More information about the samba
mailing list