Hey Samba,
For the last year I've been trying to set up a Samba Active Directory with a
share which will hold the profiles of users so that Windows users can be
implemented with the roaming profiles functionality.
I started out with an Ubuntu Server 16.04 LTS on which I configured routing,
forwarding and dhcp. After which I followed the Setting up Samba as an Active
Directory Domain
Controller<https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller>
documentation and eventually I created a share per Setting up a Share Using
Windows
ACLs<https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs>
documentation. I ran into problems when I tried to set the ACL's on the
share through Windows (logged in as Domain Admin), I can not save the changes I
made to the share permissions. The error message I get from Windows is an Access
Denied.
Testpar --verbose | more:
# Global parameters
[global]
dos charset = CP850
unix charset = UTF-8
workgroup = LDB-BEHEER
realm = LDB-BEHEER.NL
netbios name = AD
netbios aliases netbios scope server string = Samba
4.3.11-Ubuntu
interfaces bind interfaces only = No
config backend = file
server role = active directory domain controller
security = AUTO
auth methods encrypt passwords = Yes
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes
map to guest = Never
null passwords = No
old password allowed period = 60
obey pam restrictions = No
password server = *
smb passwd file = /etc/samba/smbpasswd
private dir = /var/lib/samba/private
passdb backend = samba_dsdb
algorithmic rid base = 1000
root directory guest account = nobody
enable privileges = Yes
pam password change = No
passwd program passwd chat = *new*password* %n\n *new*password*
%n\n *changed*
passwd chat debug = No
passwd chat timeout = 2
check password script username map username level = 0
unix password sync = No
restrict anonymous = 0
lanman auth = No
ntlm auth = Yes
raw NTLMv2 auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
client use spnego principal = No
preload modules dedicated keytab file kerberos method =
default
map untrusted to domain = No
log level = 2
syslog = 1
syslog only = No
log file logging max log size = 5000
debug timestamp = Yes
timestamp logs = Yes
debug prefix timestamp = No
debug hires timestamp = Yes
debug pid = No
debug uid = No
debug class = No
enable core files = Yes
smb ports = 445 139
large readwrite = Yes
server max protocol = SMB3
max protocol = SMB3
protocol = SMB3
server min protocol = LANMAN1
min protocol = LANMAN1
client max protocol = default
client min protocol = CORE
unicode = Yes
min receivefile size = 0
read raw = Yes
write raw = Yes
disable netbios = No
reset on zero vc = No
log writeable files on exit = No
defer sharing violations = Yes
nt pipe support = Yes
nt status support = Yes
smbd profiling level = off
max mux = 50
max xmit = 16644
name resolve order = lmhosts wins host bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = No
unix extensions = Yes
use spnego = Yes
client signing = default
server signing = default
client use spnego = Yes
client ldap sasl wrapping = sign
ldap server require strong auth = Yes
enable asu support = No
svcctl list cldap port = 389
dgram port = 138
nbt port = 137
krb5 port = 88
kpasswd port = 464
web port = 901
rpc big endian = No
deadtime = 0
getwd cache = Yes
keepalive = 300
change notify = Yes
kernel change notify = Yes
lpq cache time = 30
max smbd processes = 0
max disk size = 0
max open files = 16384
socket options = TCP_NODELAY
use mmap = Yes
hostname lookups = No
name cache timeout = 660
ctdbd socket cluster addresses clustering = No
ctdb timeout = 0
ctdb locktime warn threshold = 0
smb2 max read = 8388608
smb2 max write = 8388608
smb2 max trans = 8388608
smb2 max credits = 8192
load printers = Yes
printcap cache time = 750
printcap name cups server cups encrypt = No
cups connection timeout = 30
iprint server disable spoolss = No
addport command enumports command addprinter command
deleteprinter command show add printer wizard = Yes
os2 driver map mangling method = hash2
mangle prefix = 1
max stat cache size = 256
stat cache = Yes
machine password timeout = 604800
add user script rename user script delete user script
add group script delete group script add user to group script
delete user from group script set primary group script add
machine script shutdown script abort shutdown script
username map script username map cache time = 0
logon script logon path = \\%N\%U\profile
logon drive logon home = \\%N\%U
domain logons = No
init logon delayed hosts init logon delay = 100
os level = 20
lm announce = Auto
lm interval = 60
preferred master = Auto
local master = Yes
domain master = Auto
browse list = Yes
enhanced browsing = Yes
dns proxy = Yes
wins proxy = No
wins server wins support = No
wins hook smb2 leases = No
lock spin time = 200
oplock break wait time = 0
ldap admin dn ldap delete dn = No
ldap group suffix ldap idmap suffix ldap machine suffix
ldap passwd sync = no
ldap replication sleep = 1000
ldap suffix ldap ssl = start tls
ldap ssl ads = No
ldap deref = auto
ldap follow referral = Auto
ldap timeout = 15
ldap connection timeout = 2
ldap page size = 1024
ldap user suffix ldap debug level = 0
ldap debug threshold = 10
eventlog list add share command change share command
delete share command config file preload auto services
lock directory = /var/run/samba
state directory = /var/lib/samba
cache directory = /var/cache/samba
pid directory = /var/run/samba
ntp signd socket directory = /var/lib/samba/ntp_signd
utmp directory wtmp directory utmp = No
default service default message command get
quota command set quota command remote announce remote
browse sync nbt client socket address = 0.0.0.0
socket address = 0.0.0.0
nmbd bind explicit broadcast = Yes
homedir map = auto.home
afs username map afs token lifetime = 604800
log nt token command NIS homedir = No
registry shares = No
usershare allow guests = No
usershare max shares = 100
usershare owner only = Yes
usershare path = /var/lib/samba/usershares
usershare prefix allow list usershare prefix deny list
usershare template share allow insecure wide links = No
async smb echo handler = No
panic action perfcount module host msdfs = Yes
passdb expand explicit = No
idmap backend = tdb
idmap cache time = 604800
idmap negative cache time = 120
idmap uid idmap gid template homedir = /home/%D/%U
template shell = /bin/false
winbind separator = \
winbind cache time = 300
winbind reconnect delay = 30
winbind request timeout = 60
winbind max clients = 200
winbind enum users = No
winbind enum groups = No
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = Yes
winbind expand groups = 0
winbind nss info = template
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
create krb5 conf = Yes
ncalrpc dir = /var/run/samba/ncalrpc
winbind max domain connections = 1
winbindd socket directory = /var/run/samba/winbindd
winbindd privileged socket directory =
/var/lib/samba/winbindd_privileged
winbind sealed pipes = Yes
neutralize nt4 emulation = No
reject md5 servers = No
require strong key = Yes
allow dns updates = nonsecure and secure
dns forwarder = 8.8.8.8
dns update command = /usr/sbin/samba_dnsupdate
nsupdate command = /usr/bin/nsupdate -g
rndc command = /usr/sbin/rndc
multicast dns register = Yes
samba kcc command = /usr/sbin/samba_kcc
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate, dns
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey,
dnsserver
spn update command = /usr/sbin/samba_spnupdate
share backend = classic
allow nt4 crypto = No
reject md5 clients = No
tls enabled = Yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
tls crlfile tls dh params file tls priority =
NORMAL:-VERS-SSL3.0
tls verify peer = as_strict_as_possible
client ipc max protocol = default
client ipc min protocol = default
client ipc signing = default
allow dcerpc auth level connect = No
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
comment path username invalid users
valid users admin users read list write list
force user force group group read only = Yes
spotlight = No
acl check permissions = Yes
acl group control = No
acl map full control = Yes
acl allow execute always = No
create mask = 0744
force create mode = 0000
directory mask = 0755
directory mode = 0755
force directory mode = 0000
force unknown acl user = No
inherit permissions = No
inherit acls = No
inherit owner = No
guest only = No
administrative share = No
guest ok = No
only user = No
hosts allow hosts deny allocation roundup size = 1048576
aio read size = 0
aio write size = 0
aio write behind ea support = No
nt acl support = Yes
profile acls = No
map acl inherit = No
afs share = No
smb encrypt = default
durable handles = Yes
block size = 1024
directory name cache size = 100
max connections = 0
min print space = 0
strict allocate = No
strict rename = No
strict sync = No
sync always = No
use sendfile = No
write cache size = 0
max reported print jobs = 0
max print jobs = 1000
printable = No
print notify backchannel = No
printing = cups
cups options print command lpq command = %p
lprm command lppause command lpresume command
queuepause command queueresume command printer name use
client driver = No
default devmode = Yes
force printername = No
printjob username = %U
default case = lower
case sensitive = Auto
preserve case = Yes
short preserve case = Yes
mangling char = ~
hide dot files = Yes
hide special files = No
hide unreadable = No
hide unwriteable files = No
delete veto files = No
veto files hide files veto oplock files map
archive = No
map hidden = No
map system = No
map readonly = no
mangled names = Yes
store dos attributes = Yes
dmapi support = No
browseable = Yes
access based share enum = No
blocking locks = Yes
csc policy = manual
fake oplocks = No
kernel oplocks = No
kernel share modes = Yes
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = Auto
dfree cache time = 0
dfree command include preexec exec
preexec close = No
postexec root preexec root preexec close = No
root postexec available = Yes
volume fstype = NTFS
wide links = No
follow symlinks = Yes
dont descend magic script magic output delete
readonly = No
dos filemode = No
dos filetimes = Yes
dos filetime resolution = No
fake directory create times = No
vfs objects = dfs_samba4 acl_xattr
msdfs root = No
msdfs proxy msdfs shuffle referrals = No
ntvfs handler = unixuid, default
[netlogon]
path = /var/lib/samba/sysvol/ldb-beheer.nl/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[users]
path = /mnt/users/roaming
read only = No
Getfacl /mnt/users/roaming
getfacl: Removing leading '/' from absolute path names
# file: mnt/users/roaming
# owner: root
# group: LDB-BEHEER\134domain\040users
# flags: -s-
user::rwx
group::r-x
other::r-x
Kind regards