[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility

Sat Jan 14 14:45:20 UTC 2023

Hi folks,

Presently I have got an ageing Samba member server (4.10.16) under 
CentOS 7.9, so, I'm setting up a new Samba member server to replace the 
old server. I have made an initial installation with Debian Bookworm, as 
I want to keep at least Samba fairly up to date.

It's a small Samba based domain (Louis' packages 4.15.7) with about 15 
users and a few Windows based production machine controllers. There are 
several groups, where almost everybody has got a specific mix of access 
permissions to different shares. Mostly, a specific group has got full 
permissions on a share, and I want to keep inheritance through Windows 
ACLs, unless otherwise set up for specific folders inside that share.  
Except for data shares, there are user profiles (using folder 
redirection) stored on the old server and they are also going to be 
migrated to the new box. The domain is mostly managed with Microsoft's 
RSAT tools (users/machines/shares/GPOs). There are no Linux users and 
will never be, except administrative user accounts for common Linux 
administration tasks.

I want the shares in the new server to have maximum possible Windows 
server compatibility to minimize quirks and non standard behavior. So I 
kindly ask the list for comments on my configuration.

After carefully reading the Wiki pages and the list, I have come up with 
the following global smb.conf. If you find something that is missing or 
otherwise wrong, I would be very grateful for comments/suggestions. I 
have intentionally left out the shares, as they will be set up later.

Best regards,

Peter

[global]
    realm = SAMDOM.SPLAT
    workgroup = SAMDOM
    security = ads
    server role = member server
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
    winbind refresh tickets = yes
    restrict anonymous = 2

    client signing = mandatory

    disable netbios = yes
    smbports = 445

    idmap config * : backend = tdb
    idmap config * : range = 3000-9999
    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : range = 10000-99999

    template homedir = /home/%U
    template shell = /sbin/nologin

    username map = /etc/samba/user.map

    vfs objects = acl_xattr
    acl group control = yes
    inherit owner = windows and linux
    inherit acls = yes
    map acl inherit = yes

#NOTE!!! NO during setup, YES during operation
#  acl_xattr:ignore system acls = yes

    disable spoolss = yes
    printcap name = /dev/null

    log level = 1
    timestamp logs = yes
    debug uid = yes
    debug timestamp = yes

#NOTE!!! YES during testing, NO during operation
    winbind enum groups = yes
    winbind enum users = yes

# Do something sensible when Samba crashes: mail the admin a backtrace
    panic action = /usr/share/samba/panic-action %d