[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility

Peter Milesson miles at atmos.eu
Sat Jan 14 20:01:54 UTC 2023



On 14.01.2023 20:20, Rowland Penny via samba wrote:
>
>
> On 14/01/2023 19:00, Peter Milesson via samba wrote:
>>>
>> Hi Rowland,
>>
>> Thanks for the information. It clears up things a bit.
>>
>> I just took the smb.conf from the old server, peeled off some lines, 
>> and it was that one I presented in my original post. I assume I could 
>> just use the smb.conf with your suggested changes and continue 
>> setting up the shares. Joining the new server to the domain was 
>> successful, although when using samba-tool, there were quite a few 
>> error messages (mostly missing files and directories). Using net join 
>> was however successful.
>
> For quite a few years, joining a Unix domain member with samba-tool 
> did not work at all, you got something but nobody knew quite what it 
> was, but it wasn't a Unix domain member. This was fixed about 18 
> months ago (supposedly), but I still find it easier to run 'net ads 
> join'.
>
>>
>> I still have one question. In the old smb.conf I had set the 
>> parameter "winbind expand groups = 4". When I introduced it into the 
>> smb.conf on the new server, I get exactly the same result from getent 
>> group on both servers. But if I leave it out, there are no group 
>> members displayed. Is it just "cosmetics" for applications like 
>> getent, or are there implications if I leave it out, that is, 
>> different client behavior?
>
> What 'winbind expand groups' does, is to set the depth that nested 
> groups are searched, the larger the number, the deeper it goes and the 
> more time it takes. Setting it to '0' (or removing the line, which is 
> the same), stops group membership being queried.
>
>>
>> When I previously set up folder redirection, I used the Wiki page you 
>> are referring to, plus the Microsoft documentation.
>
> Was there something missing from our wiki page ?
>
> Rowland
>
Hi Rowland,

I take it that "winbind expand groups" is not really necessary in most 
cases. What I have deduced after sifting through available information 
on the internet, most of it seems quite old. I will give it a try with 
the default behavior and turn it on, if I get problems.

About the folder redirection Wiki, my setup has been working for some 
years, so the information in the wiki is probably correct. I will need 
to have a check when I migrate the user profiles to the new server. If 
something seems dubious or incomprehensible, I will report it to the list.

Once again, many thanks for your input.

Peter








More information about the samba mailing list