[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility
Peter Milesson
miles at atmos.eu
Sat Jan 14 20:01:54 UTC 2023
On 14.01.2023 20:20, Rowland Penny via samba wrote:
>
>
> On 14/01/2023 19:00, Peter Milesson via samba wrote:
>>>
>> Hi Rowland,
>>
>> Thanks for the information. It clears up things a bit.
>>
>> I just took the smb.conf from the old server, peeled off some lines,
>> and it was that one I presented in my original post. I assume I could
>> just use the smb.conf with your suggested changes and continue
>> setting up the shares. Joining the new server to the domain was
>> successful, although when using samba-tool, there were quite a few
>> error messages (mostly missing files and directories). Using net join
>> was however successful.
>
> For quite a few years, joining a Unix domain member with samba-tool
> did not work at all, you got something but nobody knew quite what it
> was, but it wasn't a Unix domain member. This was fixed about 18
> months ago (supposedly), but I still find it easier to run 'net ads
> join'.
>
>>
>> I still have one question. In the old smb.conf I had set the
>> parameter "winbind expand groups = 4". When I introduced it into the
>> smb.conf on the new server, I get exactly the same result from getent
>> group on both servers. But if I leave it out, there are no group
>> members displayed. Is it just "cosmetics" for applications like
>> getent, or are there implications if I leave it out, that is,
>> different client behavior?
>
> What 'winbind expand groups' does, is to set the depth that nested
> groups are searched, the larger the number, the deeper it goes and the
> more time it takes. Setting it to '0' (or removing the line, which is
> the same), stops group membership being queried.
>
>>
>> When I previously set up folder redirection, I used the Wiki page you
>> are referring to, plus the Microsoft documentation.
>
> Was there something missing from our wiki page ?
>
> Rowland
>
Hi Rowland,
I take it that "winbind expand groups" is not really necessary in most
cases. What I have deduced after sifting through available information
on the internet, most of it seems quite old. I will give it a try with
the default behavior and turn it on, if I get problems.
About the folder redirection Wiki, my setup has been working for some
years, so the information in the wiki is probably correct. I will need
to have a check when I migrate the user profiles to the new server. If
something seems dubious or incomprehensible, I will report it to the list.
Once again, many thanks for your input.
Peter
More information about the samba
mailing list