[Samba] Windows ACLs

Rowland Penny rpenny at samba.org
Thu Sep 22 20:44:12 UTC 2022



On 22/09/2022 21:31, Sonic wrote:
> On Thu, Sep 22, 2022 at 2:58 PM Rowland Penny via samba
> <samba at lists.samba.org> wrote:
>> You need to reset the 'idmap config' lines, I presume 'quinine' is the
>> hostname of the Unix domain member, if so, remove the two idmap config
>> lines that mention 'quinine' and I suggest you use the ranges on the
>> wiki (at least as a starting point) they are known to work.
> 
> Those changes made no difference. Same results.
> I think at one time it was recommended to have a range for the local
> host, not sure if it was ever used.

Did you run 'net cache flush' ?

Also, it has never been recommended to have a range for the local host 
when running 'security = ADS'

This is my working smb.conf:

[global]
   workgroup = SAMDOM
   security = ADS
   realm = SAMDOM.EXAMPLE.COM

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   server string = Samba Client %h

   winbind use default domain = yes
   winbind expand groups = 2
   winbind refresh tickets = Yes
   disable netbios = yes
   dns proxy = no

   idmap config * : backend = tdb
   idmap config * : range = 3000-7999
   idmap config SAMDOM : backend  = rid
   idmap config SAMDOM : range = 10000-999999
   template shell = /bin/bash
   template homedir = /home/%U

   # user Administrator workaround, without it you are unable to set 
privileges
   username map = /etc/samba/user.map

   vfs objects = acl_xattr
   map acl inherit = Yes

   # Comment the following 4 lines to act as a print server
   printcap name = /dev/null
   load printers = no
   disable spoolss = yes
   printing = bsd

   # logging
   log level = 3
   log file = /var/log/samba/%m.log
   logging = file

   min domain uid = 0
   host msdfs = yes
   map to guest = bad user

Rowland



More information about the samba mailing list