[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility
Rowland Penny
rpenny at samba.org
Sat Jan 14 15:39:38 UTC 2023
On 14/01/2023 14:45, Peter Milesson via samba wrote:
> Hi folks,
>
> Presently I have got an ageing Samba member server (4.10.16) under
> CentOS 7.9, so, I'm setting up a new Samba member server to replace the
> old server. I have made an initial installation with Debian Bookworm, as
> I want to keep at least Samba fairly up to date.
You are now ahead on the OS (bookworm hasn't been released yet).
>
> It's a small Samba based domain (Louis' packages 4.15.7)
And behind with Samba, the latest is 4.17.4
I also cannot recommend using Louis's repo, it hasn't been updated for
quite sometime and it might never be updated again.
I suggest that you use Debian Bullseye and Samba from backports, this
will get you Samba 4.17.4
with about 15
> users and a few Windows based production machine controllers. There are
> several groups, where almost everybody has got a specific mix of access
> permissions to different shares. Mostly, a specific group has got full
> permissions on a share, and I want to keep inheritance through Windows
> ACLs, unless otherwise set up for specific folders inside that share.
> Except for data shares, there are user profiles (using folder
> redirection) stored on the old server and they are also going to be
> migrated to the new box. The domain is mostly managed with Microsoft's
> RSAT tools (users/machines/shares/GPOs). There are no Linux users and
> will never be, except administrative user accounts for common Linux
> administration tasks.
You are a bit wrong there, because you are using the 'rid' idmap
backend, all your AD users will be Linux users.
>
> I want the shares in the new server to have maximum possible Windows
> server compatibility to minimize quirks and non standard behavior. So I
> kindly ask the list for comments on my configuration.
As you have only Windows clients, I suggest you set the permissions from
Windows, see here:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
and here:
https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
Because of the above, I would remove a few lines from your smb.conf:
acl group control = yes
inherit owner = windows and linux
inherit acls = yes
When creating your shares, only add the lines shown in the links above.
More information about the samba
mailing list