[Samba] editing samba-share ACLs etc from Windows

Stefan G. Weichinger lists at xunil.at
Thu Oct 20 08:28:02 UTC 2022


Am 19.10.22 um 19:07 schrieb Rowland Penny via samba:
> 
> 
> On 19/10/2022 17:25, Stefan G. Weichinger via samba wrote:
>> I thought 4.16.5, wanted to write 4.16.x to avoid the minor release 
>> and failed completely.
> 
> Don't worry, I do similar things all the time, I know what I want to 
> type, but it doesn't always get through to my fingers, I think it is 
> called old age ;-)

Ah, that could be, yes ;-)

> In which case it should work, so lets start with the smb.conf and the 
> permissions set on the shares path.

This is a smb.conf the list has seen several times already ;-)

Debian 11.5, btw

I quote the conf, and only the main share for a first view. And I edit 
the realm etc

This is a grown config over years, so there are many commented lines in 
there already.

->

# cat /etc/samba/smb.conf
# This file is managed remotely, all changes will be lost

[global]
workgroup = BUERO
realm = MYDOM.AT
netbios name = SERVER

security = ADS
map to guest = Bad User
username map = /etc/samba/smbusers

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes

#winbind enum users = Yes
#winbind enum groups = Yes
winbind use default domain = yes

winbind offline logon = yes

# Use settings from AD for login shell and home directory
winbind nss info = template
template shell = /bin/bash
template homedir = /mnt/samba/Daten/%U

# obsolete with 4.8.x
#map untrusted to domain = Yes
#winbind trusted domains only = no

# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999

# idmap config for domain BUERO
idmap config BUERO:backend = rid
idmap config BUERO:range = 10000-99999

load printers = no
printing = bsd
printcap name = /dev/null

# turn off roaming profiles
logon path = ""
logon home = ""

hosts allow = localhost 192.168.16. 172.32.99.

log level = 1
log file = /var/log/samba/%m.log
max log size = 150000

# server min protocol = SMB2
# server max protocol = SMB2

#strict sync = yes
	
# ACLs
	store dos attributes = Yes
	map acl inherit = Yes
	#vfs objects = acl_xattr full_audit
	vfs objects = acl_xattr

# Audit settings
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = connect
full_audit:success = mkdir rmdir read pread write pwrite rename unlink
full_audit:facility = local5
full_audit:priority = notice

# 2021-dec-30 allow domain admin in
min domain uid = 0


[homes]
	comment                        = Home Directory
	guest ok                       = no
	read only                      = no
	valid users                    = %S
         invalid users = root, bin, daemon, adm, sync, shutdown, halt, 
mailnewsuucp, operator
         browseable = No

[daten]
	comment = Daten
	path = /mnt/samba/
	read only = No
	create mask = 0775
	directory mask = 02775
	force directory mode = 0775
	#wide links = yes
	#veto oplock files = /*.DAT/*.dat/
	#oplocks = False
	#level2 oplocks = False



More information about the samba mailing list