[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility

Sat Jan 14 19:00:35 UTC 2023

On 14.01.2023 18:50, Rowland Penny via samba wrote:
>
>
> On 14/01/2023 17:22, Peter Milesson via samba wrote:
>
>> Hi Rowland,
>>
>> Thanks for the input.
>>
>> The DC with Louis' packages will be next in line for replacement. I 
>> have noticed there have not been any updates for quite a while.
>>
>> I wasn't aware that the rid backend makes all AD users Linux users. 
>> It is definitely not clear from the Wiki. Will it pose a problem with 
>> compatibility on Windows workstations when accessing the shares?
>
> It would be a bigger problem if your users (and groups) didn't have 
> Linux ID's
>
> The 'rid' idmap backend calculates the Linux ID from the AD objects 
> RID, so if you use the same basic smb.conf on all Samba machines, the 
> user or group will always get the same Linux ID. To get this all to 
> work, you need to set up nsswitch.
>
> One other thing you need to be aware of, unlike earlier versions of 
> Samba, you do not create local Unix users, you just create users and 
> groups in AD and Samba will map them to Unix ones.
>
>> Will there be any limitations, or otherwise crippled behavior? 
>> Anyway, there will be no access allowed to the server outside Samba, 
>> except for Linux administration tasks. Is there a simple way to 
>> migrate to ad backend from rid? 
>
> You would still have the same non problem, for your users to store 
> data on the Unix domain member, they need to be known to the Linux 
> machine, so you would have to give every user a uidNumber attribute 
> and Domain Users would have to have a gidNumber attribute.
>
>> Otherwise I see a daunting task before me setting new permissions on 
>> everything according to each user's permission mix.
>
> Which is why you set them via Windows and use groups.
>
>>
>> So the two lines
>>
>>     vfs objects = acl_xattr
>>     map acl inherit = yes
>>
>> are actually sufficient for getting the best Windows server 
>> compatibility, without the other options?
>
> Yes, one of the lines is actually set for you because of the 
> vfs_objects line and you do not need the others if you set the 
> permissions from Windows.
>
>>
>> I have never used anything else than the RSAT tools (AD, DNS, GPO) to 
>> manage the share permissions on the existing server. I have no 
>> intention to use anything else on the new server, unless absolutely 
>> required.
>>
>> About setting up the profile share, I would very much try to avoid 
>> using roaming user profiles. I have been using folder redirection for 
>> quite some years, and it is definitely much more efficient than 
>> roaming profiles. There are quite a few users that insist in 
>> cluttering their desktops with 10's of GB of files, even if I tell 
>> them 500 times, that they shouldn't be surprised that it takes 
>> several minutes before they are logged in. With folder redirection 
>> that problem is gone.
>
> We have a page for that as well:
>
> https://wiki.samba.org/index.php/Configuring_Windows_Profile_Folder_Redirections 
>
>
> Rowland
>
>
Hi Rowland,

Thanks for the information. It clears up things a bit.

I just took the smb.conf from the old server, peeled off some lines, and 
it was that one I presented in my original post. I assume I could just 
use the smb.conf with your suggested changes and continue setting up the 
shares. Joining the new server to the domain was successful, although 
when using samba-tool, there were quite a few error messages (mostly 
missing files and directories). Using net join was however successful.

I still have one question. In the old smb.conf I had set the parameter 
"winbind expand groups = 4". When I introduced it into the smb.conf on 
the new server, I get exactly the same result from getent group on both 
servers. But if I leave it out, there are no group members displayed. Is 
it just "cosmetics" for applications like getent, or are there 
implications if I leave it out, that is, different client behavior?

When I previously set up folder redirection, I used the Wiki page you 
are referring to, plus the Microsoft documentation.

Many thanks Rowland,

Peter