[Samba] editing samba-share ACLs etc from Windows

Rowland Penny rpenny at samba.org
Thu Oct 20 09:13:37 UTC 2022 


On 20/10/2022 09:28, Stefan G. Weichinger via samba wrote:

> This is a smb.conf the list has seen several times already ;-)
> 
> Debian 11.5, btw
> 
> I quote the conf, and only the main share for a first view. And I edit 
> the realm etc
> 
> This is a grown config over years, so there are many commented lines in 
> there already.
> 
> ->
> 
> # cat /etc/samba/smb.conf
> # This file is managed remotely, all changes will be lost
> 
> [global]
> workgroup = BUERO
> realm = MYDOM.AT
> netbios name = SERVER
> 
> security = ADS
> map to guest = Bad User
> username map = /etc/samba/smbusers
> 
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
> 
> #winbind enum users = Yes
> #winbind enum groups = Yes
> winbind use default domain = yes
> 
> winbind offline logon = yes
> 
> # Use settings from AD for login shell and home directory
> winbind nss info = template

That is interesting, mainly because you are using the idmap 'rid' 
backend, you can only use rfc2307 attributes from AD if you use the 
idmap 'ad' backend, so you might as well remove those two lines.

> template shell = /bin/bash
> template homedir = /mnt/samba/Daten/%U
> 
> # obsolete with 4.8.x
> #map untrusted to domain = Yes
> #winbind trusted domains only = no
> 
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> 
> # idmap config for domain BUERO
> idmap config BUERO:backend = rid
> idmap config BUERO:range = 10000-99999
> 
> load printers = no
> printing = bsd
> printcap name = /dev/null
> 
> # turn off roaming profiles
> logon path = ""
> logon home = ""
> 
> hosts allow = localhost 192.168.16. 172.32.99.
> 
> log level = 1
> log file = /var/log/samba/%m.log
> max log size = 150000
> 
> # server min protocol = SMB2
> # server max protocol = SMB2
> 
> #strict sync = yes
> 
> # ACLs
>      store dos attributes = Yes
>      map acl inherit = Yes
>      #vfs objects = acl_xattr full_audit
>      vfs objects = acl_xattr
> 
> # Audit settings
> full_audit:prefix = %u|%I|%m|%S
> full_audit:failure = connect
> full_audit:success = mkdir rmdir read pread write pwrite rename unlink
> full_audit:facility = local5
> full_audit:priority = notice
> 

You might as well comment out the audit settings, you are not using them.

> # 2021-dec-30 allow domain admin in
> min domain uid = 0
> 
> 
> [homes]
>      comment                        = Home Directory
>      guest ok                       = no
>      read only                      = no
>      valid users                    = %S
>          invalid users = root, bin, daemon, adm, sync, shutdown, halt, 
> mailnewsuucp, operator
>          browseable = No
> 
> [daten]
>      comment = Daten
>      path = /mnt/samba/
>      read only = No
>      create mask = 0775
>      directory mask = 02775
>      force directory mode = 0775
>      #wide links = yes
>      #veto oplock files = /*.DAT/*.dat/
>      #oplocks = False
>      #level2 oplocks = False
> 

OK, where does it say to add all those extra lines to the share ? It 
certainly doesn't say it here:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

You didn't post the share permissions I asked for, is it possible you 
can do so ?

Rowland

More information about the samba mailing list