[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility

Rowland Penny rpenny at samba.org
Sat Jan 14 19:20:11 UTC 2023

On 14/01/2023 19:00, Peter Milesson via samba wrote:
> Hi Rowland,
> Thanks for the information. It clears up things a bit.
> I just took the smb.conf from the old server, peeled off some lines, and 
> it was that one I presented in my original post. I assume I could just 
> use the smb.conf with your suggested changes and continue setting up the 
> shares. Joining the new server to the domain was successful, although 
> when using samba-tool, there were quite a few error messages (mostly 
> missing files and directories). Using net join was however successful.

For quite a few years, joining a Unix domain member with samba-tool did 
not work at all, you got something but nobody knew quite what it was, 
but it wasn't a Unix domain member. This was fixed about 18 months ago 
(supposedly), but I still find it easier to run 'net ads join'.

> I still have one question. In the old smb.conf I had set the parameter 
> "winbind expand groups = 4". When I introduced it into the smb.conf on 
> the new server, I get exactly the same result from getent group on both 
> servers. But if I leave it out, there are no group members displayed. Is 
> it just "cosmetics" for applications like getent, or are there 
> implications if I leave it out, that is, different client behavior?

What 'winbind expand groups' does, is to set the depth that nested 
groups are searched, the larger the number, the deeper it goes and the 
more time it takes. Setting it to '0' (or removing the line, which is 
the same), stops group membership being queried.

> When I previously set up folder redirection, I used the Wiki page you 
> are referring to, plus the Microsoft documentation.

Was there something missing from our wiki page ?


More information about the samba mailing list