[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility

Peter Milesson miles at atmos.eu
Sat Jan 14 20:01:54 UTC 2023

On 14.01.2023 20:20, Rowland Penny via samba wrote:
> On 14/01/2023 19:00, Peter Milesson via samba wrote:
>> Hi Rowland,
>> Thanks for the information. It clears up things a bit.
>> I just took the smb.conf from the old server, peeled off some lines, 
>> and it was that one I presented in my original post. I assume I could 
>> just use the smb.conf with your suggested changes and continue 
>> setting up the shares. Joining the new server to the domain was 
>> successful, although when using samba-tool, there were quite a few 
>> error messages (mostly missing files and directories). Using net join 
>> was however successful.
> For quite a few years, joining a Unix domain member with samba-tool 
> did not work at all, you got something but nobody knew quite what it 
> was, but it wasn't a Unix domain member. This was fixed about 18 
> months ago (supposedly), but I still find it easier to run 'net ads 
> join'.
>> I still have one question. In the old smb.conf I had set the 
>> parameter "winbind expand groups = 4". When I introduced it into the 
>> smb.conf on the new server, I get exactly the same result from getent 
>> group on both servers. But if I leave it out, there are no group 
>> members displayed. Is it just "cosmetics" for applications like 
>> getent, or are there implications if I leave it out, that is, 
>> different client behavior?
> What 'winbind expand groups' does, is to set the depth that nested 
> groups are searched, the larger the number, the deeper it goes and the 
> more time it takes. Setting it to '0' (or removing the line, which is 
> the same), stops group membership being queried.
>> When I previously set up folder redirection, I used the Wiki page you 
>> are referring to, plus the Microsoft documentation.
> Was there something missing from our wiki page ?
> Rowland
Hi Rowland,

I take it that "winbind expand groups" is not really necessary in most 
cases. What I have deduced after sifting through available information 
on the internet, most of it seems quite old. I will give it a try with 
the default behavior and turn it on, if I get problems.

About the folder redirection Wiki, my setup has been working for some 
years, so the information in the wiki is probably correct. I will need 
to have a check when I migrate the user profiles to the new server. If 
something seems dubious or incomprehensible, I will report it to the list.

Once again, many thanks for your input.


More information about the samba mailing list