[Samba] Client station file permission behavior changes after a week or so

Rowland penny rpenny at samba.org
Tue Feb 25 08:59:42 UTC 2020

On 25/02/2020 00:46, Eric via samba wrote:
> Yes, I didn't even look to verify my fileserver is a DC. I must have debated
> a few times about the choice and forgot my last decision when installing.
> I know it's not recommended to run a fileserver on an AD DC, but hopefully
> you can still offer some advice on troubleshooting.
OK, if they are as on disk, who added all the rubbish lines that, in my 
opinion, have no place in a Samba AD DC smb.conf ?

Try this smb.conf:

netbios name = FS01
server role = active directory domain controller
server services = -dns
workgroup = KIDDLAW
server string = Univention Corporate Server

log level = 1
logging = file
tls keyfile = /etc/univention/ssl/FS01.kiddlaw.lan/private.key
tls certfile = /etc/univention/ssl/FS01.kiddlaw.lan/cert.pem
tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
ldap server require strong auth = allow_sasl_over_tls

max open files = 32808
interfaces = lo ens3
bind interfaces only = yes

template shell = /bin/bash
template homedir = /home/%D-%U

load printers = yes
printing = cups
printcap name = cups
spoolss: architecture = Windows x64
max xmit = 65535

comment = Domain logon service
path = /var/lib/samba/sysvol/kiddlaw.lan/scripts
read only = no

path = /var/lib/samba/sysvol
read only = no

comment = Heimatverzeichnisse
hide files = /windows-profiles/
browsable = no
read only = no
create mask = 0700
directory mask = 0700

comment = Drucker
browseable = no
path = /tmp
printable = yes
create mode = 0700

comment = Printer Drivers
path = /var/lib/samba/drivers
read only = no

path = /srv/shares/sharedData
read only = no
hide unreadable = yes
veto files = /.Trashes/._*/.DS_Store/

Then read this:


It is the only way you can use a DC as a fileserver.


More information about the samba mailing list