[Samba] Client station file permission behavior changes after a week or so

Eric rvwbug at gmail.com
Tue Feb 25 00:46:44 UTC 2020 

> Thanks Roland.


Yes, I didn't even look to verify my fileserver is a DC. I must have debated
a few times about the choice and forgot my last decision when installing.

I know it's not recommended to run a fileserver on an AD DC, but hopefully
you can still offer some advice on troubleshooting.

Maybe this isn't even a smb config issue. It could be Windows related???

Here is the actual smb.conf for my fileserver:

[global]
debug level = 1
logging = file
max log size = 0
netbios name = FS01
server role = active directory domain controller
name resolve order = wins host bcast
server string = Univention Corporate Server
server services = -dns -smb +s3fs -nbt
server role check:inhibit = yes
# use nmbd; to disable set samba4/service/nmb to s4
nmbd_proxy_logon:cldap_server=127.0.0.1
workgroup = KIDDLAW
realm = KIDDLAW.LAN
tls enabled = yes
tls keyfile = /etc/univention/ssl/FS01.kiddlaw.lan/private.key
tls certfile = /etc/univention/ssl/FS01.kiddlaw.lan/cert.pem
tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
tls verify peer = ca_and_name
ldap server require strong auth = allow_sasl_over_tls
dsdb:schema update allowed = no
max open files = 32808
interfaces = lo ens3
bind interfaces only = yes
ntlm auth = ntlmv2-only
machine password timeout = 0
acl allow execute always = True
kccsrv:samba_kcc = False
debug hirestimestamp = yes
debug pid = yes
winbind separator = +
template shell = /bin/bash
template homedir = /home/%D-%U
idmap config * : backend = tdb
idmap config * : range = 300000-400000
passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n
*password*changed*
obey pam restrictions = yes
encrypt passwords = yes
load printers = yes
printing = cups
printcap name = cups
spoolss: architecture = Windows x64
preferred master = yes
local master = yes
domain master = auto
oplocks = yes
large readwrite = yes
read raw = yes
write raw = yes
max xmit = 65535
acl:search = no
host msdfs = yes
kernel oplocks = yes
deadtime = 15
getwd cache = yes
wide links = no
store dos attributes = yes
logon home = \\FS01\%U
logon drive = I:
logon path = \\FS01\%U\windows-profiles\%a
preserve case = yes
short preserve case = yes
guest account = nobody
map to guest = Bad User
admin users = administrator join-backup
usershare max shares = 0
include = /etc/samba/base.conf
include = /etc/samba/shares.conf


Here is  /etc/samba/base.conf:
[netlogon]
comment = Domain logon service
path = /var/lib/samba/sysvol/kiddlaw.lan/scripts
public = no
preserve case = yes
case sensitive = no
vfs objects = dfs_samba4 acl_xattr
read only = no

[sysvol]
path = /var/lib/samba/sysvol
public = no
preserve case = yes
case sensitive = no
vfs objects = dfs_samba4 acl_xattr
read only = no
acl xattr update mtime = yes

[homes]
comment = Heimatverzeichnisse
hide files = /windows-profiles/
browsable = no
read only = no
create mask = 0700
directory mask = 0700
vfs objects = acl_xattr

[printers]
comment = Drucker
browseable = no
path = /tmp
printable = yes
public = no
writable = no
create mode = 0700

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
browseable = yes
guest ok = no
read only = no
write list = root, Administrator, @Printer-Admins



Here is /etc/samba/shares.conf
include = /etc/samba/shares.conf.d/sharedData


Here is /etc/samba/shares.conf.d/sharedData
[sharedData]
path = /srv/shares/sharedData
vfs objects = acl_xattr full_audit
msdfs root = no
writeable = yes
browseable = yes
public = no
dos filemode = no
hide unreadable = yes
create mode = 0744
directory mode = 0755
force create mode = 00
force directory mode = 00
locking = 1
blocking locks = 1
strict locking = Auto
oplocks = 1
level2 oplocks = 1
fake oplocks = 0
csc policy = manual
nt acl support = 1
inherit acls = 0
inherit owner = no
inherit permissions = no
access based share enum = yes
hide dot files = yes
veto files = /.Trashes/._*/.DS_Store/

More information about the samba mailing list