[Samba] Errors for shares since 4.12.0
Rowland penny
rpenny at samba.org
Tue Mar 10 09:23:36 UTC 2020
On 10/03/2020 08:03, Andreas Hauffe via samba wrote:
> We have a kerberized NFS4 running on that machine, too.
I do hope that you are not resharing the NFS share(s) via Samba, that
way lies madness ;-)
Try this smb.conf:
[global]
workgroup = SUBDOM
realm = SUBDOM.DOM.EXAMPLE.COM
security = ADS
bind interfaces only = Yes
interfaces = lo enp1s0f0
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes
idmap config SUBDOM : range = 3000-9999
idmap config SUBDOM : backend = rid
idmap config * : range = 2000-2999
idmap config * : backend = tdb
template homedir = /home/users/linux/%U
template shell = /bin/bash
map acl inherit = Yes
vfs objects = acl_xattr
smb encrypt = desired
recycle:exclude_dir = tmp | temp | cache
recycle:exclude = *.TMP | *.tmp | ~$*.doc
recycle:noversions = *.ini | *.dat
recycle:versions = Yes
recycle:maxsize = 536870912
recycle:touch = Yes
recycle:keeptree = Yes
recycle:directory_mode = 0700
recycle:repository = %H/.Papierkorb/%S
[share1]
comment = Share 1
create mask = 0740
directory mask = 0750
force create mode = 0660
force directory mode = 0660
force group = SUBDOM\worker
inherit permissions = Yes
path = PATHNAME
read only = No
root preexec = /bin/MK_PAPIERKORB %H "%u" %h %S
valid users = SUBDOM\worker
vfs objects = acl_xattr recycle crossrename
[share2]
comment = Share 2
inherit acls = Yes
path = PATHNAME
read only = No
valid users = SUBDOM\worker SUBDOM\user
acl_xattr:ignore system acls = yes
[share3]
comment = Share 3
create mask = 0660
directory mask = 0770
force create mode = 0660
force directory mode = 0770
force group = SUBDOM\group2
path = PATHNAME
read only = No
root preexec = /bin/MK_PAPIERKORB %H "%u" %h %S
valid users = SUBDOM\group2
vfs objects = acl_xattr recycle crossrename
[share4]
comment = Share 4
path = PATHNAME
valid users = SUBDOM\group2 SUBDOM\group3 SUBDOM\group4
You will notice a few things:
'dom' has gone, whilst allowing it as a trusted domain, you were not
allowing the 'dom' users to actually do anything.
'winbind separator = +' has gone, there is no real point to it and
'testparm' throws a warning.
As you are using the same recycle lines, you only need to set them once
in [global] and set the recycle vfs in the required shares.
I would also check that /etc/krb5.keytab contains all the required keys.
Rowland
More information about the samba
mailing list