[Samba] Errors for shares since 4.12.0

Rowland penny rpenny at samba.org
Tue Mar 10 09:23:36 UTC 2020 

On 10/03/2020 08:03, Andreas Hauffe via samba wrote:
> We have a kerberized NFS4 running on that machine, too.
I do hope that you are not resharing the NFS share(s) via Samba, that 
way lies madness ;-)

Try this smb.conf:

[global]
         workgroup = SUBDOM
         realm = SUBDOM.DOM.EXAMPLE.COM
         security = ADS

         bind interfaces only = Yes
         interfaces = lo enp1s0f0
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab
         winbind refresh tickets = Yes
         idmap config SUBDOM : range = 3000-9999
         idmap config SUBDOM : backend = rid
         idmap config * : range = 2000-2999
         idmap config * : backend = tdb
         template homedir = /home/users/linux/%U
         template shell = /bin/bash
         map acl inherit = Yes
         vfs objects = acl_xattr
         smb encrypt = desired

         recycle:exclude_dir = tmp | temp | cache
         recycle:exclude = *.TMP | *.tmp | ~$*.doc
         recycle:noversions = *.ini | *.dat
         recycle:versions = Yes
         recycle:maxsize = 536870912
         recycle:touch = Yes
         recycle:keeptree = Yes
         recycle:directory_mode = 0700
         recycle:repository = %H/.Papierkorb/%S

[share1]
         comment = Share 1
         create mask = 0740
         directory mask = 0750
         force create mode = 0660
         force directory mode = 0660
         force group = SUBDOM\worker
         inherit permissions = Yes
         path = PATHNAME
         read only = No
         root preexec = /bin/MK_PAPIERKORB %H "%u" %h %S
         valid users = SUBDOM\worker
         vfs objects = acl_xattr recycle crossrename

[share2]
         comment = Share 2
         inherit acls = Yes
         path = PATHNAME
         read only = No
         valid users = SUBDOM\worker SUBDOM\user
         acl_xattr:ignore system acls = yes

[share3]
         comment = Share 3
         create mask = 0660
         directory mask = 0770
         force create mode = 0660
         force directory mode = 0770
         force group = SUBDOM\group2
         path = PATHNAME
         read only = No
         root preexec = /bin/MK_PAPIERKORB %H "%u" %h %S
         valid users = SUBDOM\group2
         vfs objects = acl_xattr recycle crossrename

[share4]
         comment = Share 4
         path = PATHNAME
         valid users = SUBDOM\group2 SUBDOM\group3 SUBDOM\group4

You will notice a few things:

'dom' has gone, whilst allowing it as a trusted domain, you were not 
allowing the 'dom' users to actually do anything.

'winbind separator = +' has gone, there is no real point to it and 
'testparm' throws a warning.

As you are using the same recycle lines, you only need to set them once 
in [global] and set the recycle vfs in the required shares.

I would also check that /etc/krb5.keytab contains all the required keys.

Rowland

More information about the samba mailing list