[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility
Peter Milesson
miles at atmos.eu
Sat Jan 14 14:45:20 UTC 2023
Hi folks,
Presently I have got an ageing Samba member server (4.10.16) under
CentOS 7.9, so, I'm setting up a new Samba member server to replace the
old server. I have made an initial installation with Debian Bookworm, as
I want to keep at least Samba fairly up to date.
It's a small Samba based domain (Louis' packages 4.15.7) with about 15
users and a few Windows based production machine controllers. There are
several groups, where almost everybody has got a specific mix of access
permissions to different shares. Mostly, a specific group has got full
permissions on a share, and I want to keep inheritance through Windows
ACLs, unless otherwise set up for specific folders inside that share.
Except for data shares, there are user profiles (using folder
redirection) stored on the old server and they are also going to be
migrated to the new box. The domain is mostly managed with Microsoft's
RSAT tools (users/machines/shares/GPOs). There are no Linux users and
will never be, except administrative user accounts for common Linux
administration tasks.
I want the shares in the new server to have maximum possible Windows
server compatibility to minimize quirks and non standard behavior. So I
kindly ask the list for comments on my configuration.
After carefully reading the Wiki pages and the list, I have come up with
the following global smb.conf. If you find something that is missing or
otherwise wrong, I would be very grateful for comments/suggestions. I
have intentionally left out the shares, as they will be set up later.
Best regards,
Peter
[global]
realm = SAMDOM.SPLAT
workgroup = SAMDOM
security = ads
server role = member server
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
winbind refresh tickets = yes
restrict anonymous = 2
client signing = mandatory
disable netbios = yes
smbports = 445
idmap config * : backend = tdb
idmap config * : range = 3000-9999
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-99999
template homedir = /home/%U
template shell = /sbin/nologin
username map = /etc/samba/user.map
vfs objects = acl_xattr
acl group control = yes
inherit owner = windows and linux
inherit acls = yes
map acl inherit = yes
#NOTE!!! NO during setup, YES during operation
# acl_xattr:ignore system acls = yes
disable spoolss = yes
printcap name = /dev/null
log level = 1
timestamp logs = yes
debug uid = yes
debug timestamp = yes
#NOTE!!! YES during testing, NO during operation
winbind enum groups = yes
winbind enum users = yes
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
More information about the samba
mailing list