On Thu, 14 Jun 2018 16:03:35 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> Nevertheless, 'ls' does give names though I don't seem to have either > libnss-winbind or libpam-winbind files on my AD/DC.I keep forgetting that you use slackware, I suppose it uses something different, but do you have any file like: libnss_winbind.so.2> > Circling back to the OP, with 4.4.16 I got: > > > ls -l > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/ > total 16 > drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22 > Microsoft/ -rwxrwx--- 1 BUILTIN\administrators users 958 2014-09-13 > 04:01 Registry.pol* drwxrwx--- 4 BUILTIN\administrators users 4096 > 2014-09-13 03:22 Scripts/ > > Now, with 4.8.2, doing the same ls gives me: > > > ls -l > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/ > total 16 > drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/ > -rwxrwx--- 1 3000000 users 958 2014-09-13 04:01 Registry.pol* > drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/ > > I'm still not sure I've gleaned an answer. I'll check sam.ldb and > imap.ldb for clues.For some reason, nsswitch (and/or idmap.ldb) isn't mapping '3000000' to 'Administrators'> > > > With 4.8.2 on my DC's i see: > > > ls -al sysvol/ > > > drwxrwx---+ 5 root BUILTIN\administrators 4096 Dec 21 13:14 > > > internal.domain.tld > > Funny you should mention that. I was going to post the same thing, > mine is: > > rwxrwxr--+ 3 root BUILTIN\administrators 4096 2014-09-03 00:46 > sysvol/ > > I thought it strange that it would list the 300000 groupname, but for > files owned by 300000 it will only list the UID number, not the > username.AH-Ha, the only place that maps an ID to a user AND a group is idmap.ldb, where it get 'ID_TYPE_BOTH'. Have you given 'Administrators' a uidNumber ? or is it being mapped to 'ID_TYPE_UID' in idmap.ldb ?> > and am missing Louis': > group:3000002:rwx > group:3000003:r-x > > whereas Louis has: > group:BUILTIN\134server\040operators:r-x > > For 'other' I have "other::r--" whereas Louis has "other::---" > > For default I am again missing user 3000001 and my 3000003 is rwx > rather than Louis' r-x. My 'default-group' is "r-x", Louis' "---". > Same group difference with 'default' as mentioned above with my > 040AUTHORITY and Louis' 040operators. > My "default:other::r-x", Louis' "default:other::---" > > Are my different settings bad?Not necessarily, different DC's get different ID's for the users/groups.> > > And Louis also uses 'acl_xattr:ignore system acls = yes', > > How do you know that? I don't see that listed in Louis' message?I just do ;-) Try reading 'man vfs_acl_xattr'> > > this means that you can ignore the system ACL and what getfacl > > produces. > > > > The permissions you set from windows is actually stored in in > > 'security.NTACL' > > > > To see the contents of this attr: > > > > getfattr -n security.NTACL /home/testdata > > getfattr: Removing leading '/' from absolute path names > > # file: home/testdata > > security.NTACL=0sAwA [deleted] KCAAA > > > > Not very readable is it ? > > Tried that on /var/lib/samba/sysvol. Yup, gobbledygook!Just set them from Windows and ignore the Unix acls Rowland
On Thu, 14 Jun 2018 21:37:58 +0100 Rowland Penny wrote:> > On Thu, 14 Jun 2018 16:03:35 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > Nevertheless, 'ls' does give names though I don't seem to have either > > libnss-winbind or libpam-winbind files on my AD/DC. > > I keep forgetting that you use slackware, I suppose it uses something > different, but do you have any file like: libnss_winbind.so.2Yes, I have: -rwxr-xr-x 1 root root 13928 2015-04-17 12:46:33 /usr/lib64/pppd/2.4.7/winbind.so -rwxr-xr-x 1 root root 47864 2016-06-23 18:40:38 /usr/lib64/kde4/kgreet_winbind.so -rwxr-xr-x 1 root root 1307104 2018-06-10 22:37:16 /usr/lib64/python2.7/site-packages/samba/dcerpc/winbind.so -rwxr-xr-x 1 root root 14112 2018-06-10 22:37:16 /usr/lib64/libnss_winbind.so.2 lrwxrwxrwx 1 root root 19 2018-06-10 22:39:17 /usr/lib64/libnss_winbind.so -> libnss_winbind.so.2 Might it be prudent to remove (or rename) the lib modules from 2015 and 2016? Perhaps the lib search order is picking up the wrong one.> > Circling back to the OP, with 4.4.16 I got: > > > > > ls -l > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/ > > total 16 > > drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22 > > Microsoft/ -rwxrwx--- 1 BUILTIN\administrators users 958 2014-09-13 > > 04:01 Registry.pol* drwxrwx--- 4 BUILTIN\administrators users 4096 > > 2014-09-13 03:22 Scripts/ > > > > Now, with 4.8.2, doing the same ls gives me: > > > > > ls -l > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/ > > total 16 > > drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/ > > -rwxrwx--- 1 3000000 users 958 2014-09-13 04:01 Registry.pol* > > drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/ > > > > I'm still not sure I've gleaned an answer. I'll check sam.ldb and > > imap.ldb for clues.> For some reason, nsswitch (and/or idmap.ldb) isn't mapping '3000000' to > 'Administrators'... but it used to with 4.4.16 ... in my idmap.ldb I have only: # record 71 dn: CN=S-1-5-32-544 cn: S-1-5-32-544 objectClass: sidMap objectSid: S-1-5-32-544 type: ID_TYPE_BOTH xidNumber: 3000000 distinguishedName: CN=S-1-5-32-544 in sam.ldb for objectSID: S-1-5-32-544, I have: # record 163 dn: CN=Administrators,CN=Builtin,DC=hprs,DC=local objectClass: top objectClass: group cn: Administrators description: Administrators have complete and unrestricted access to the compu ter/domain instanceType: 4 whenCreated: 20140903044615.0Z uSNCreated: 3562 name: Administrators objectGUID: 06970ceb-a0bb-4d7a-b878-51f54ac210bd objectSid: S-1-5-32-544 adminCount: 1 sAMAccountName: Administrators sAMAccountType: 536870912 systemFlags: -1946157056 groupType: -2147483643 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hprs,DC=local isCriticalSystemObject: TRUE whenChanged: 20150825012848.0Z uSNChanged: 6468 member: CN=Enterprise Admins,CN=Users,DC=hprs,DC=local member: CN=Domain Admins,CN=Users,DC=hprs,DC=local member: CN=Administrator,CN=Users,DC=hprs,DC=local distinguishedName: CN=Administrators,CN=Builtin,DC=hprs,DC=local Is there someplace else I can look for this? In ADUC for the 'Administrator' I have nothing in NIS Domain, UID or Primary Group name/GID. Should I for this user, or is 'Administrator' "special"? For all "normal" domain users I have: NIS Domain: hprs UID: 1000x Primary group name/GID: Domain Users> > > > With 4.8.2 on my DC's i see: > > > > ls -al sysvol/ > > > > drwxrwx---+ 5 root BUILTIN\administrators 4096 Dec 21 13:14 > > > > internal.domain.tld > > > > Funny you should mention that. I was going to post the same thing, > > mine is: > > > > rwxrwxr--+ 3 root BUILTIN\administrators 4096 2014-09-03 00:46 > > sysvol/ > > > > I thought it strange that it would list the 300000 groupname, but for > > files owned by 300000 it will only list the UID number, not the > > username. > > AH-Ha, the only place that maps an ID to a user AND a group is > idmap.ldb, where it get 'ID_TYPE_BOTH'. Have you given > 'Administrators' a uidNumber ? or is it being mapped to 'ID_TYPE_UID' > in idmap.ldb ?As shown in my idmap.ldb entry, it has "ID_TYPE_BOTH". A clue?> > and am missing Louis': > > group:3000002:rwx > > group:3000003:r-x > > > > whereas Louis has: > > group:BUILTIN\134server\040operators:r-x > > > > For 'other' I have "other::r--" whereas Louis has "other::---" > > > > For default I am again missing user 3000001 and my 3000003 is rwx > > rather than Louis' r-x. My 'default-group' is "r-x", Louis' "---". > > Same group difference with 'default' as mentioned above with my > > 040AUTHORITY and Louis' 040operators. > > My "default:other::r-x", Louis' "default:other::---" > > > > Are my different settings bad?> Not necessarily, different DC's get different ID's for the > users/groups.OK, so not to worry here.> > > And Louis also uses 'acl_xattr:ignore system acls = yes', > > > > How do you know that? I don't see that listed in Louis' message? > > I just do ;-) > > Try reading 'man vfs_acl_xattr'The man page says in part: "When set to yes, a best effort mapping from/to the POSIX ACL layer will not be done by this module. The default is no, which means that Samba keeps setting and evaluating both the system ACLs and the NT ACLs. This is better if you need your system ACLs be set for local or NFS file access, too. If you only access the data via Samba you might set this to yes to achieve better NT ACL compatibility." then lists additional settings for file mods if 'yes' is selected. I assume mine is set to the default 'no'. So is this something I should fiddle with or is it no big deal?> > > this means that you can ignore the system ACL and what getfacl > > > produces. > > > > > > The permissions you set from windows is actually stored in in > > > 'security.NTACL' > > > > > > To see the contents of this attr: > > > > > > getfattr -n security.NTACL /home/testdata > > > getfattr: Removing leading '/' from absolute path names > > > # file: home/testdata > > > security.NTACL=0sAwA [deleted] KCAAA > > > > > > Not very readable is it ? > > > > Tried that on /var/lib/samba/sysvol. Yup, gobbledygook! > > Just set them from Windows and ignore the Unix acls > > RowlandWhich I assume answers the "no big deal" question just posed: not to worry. So, do you see anything amiss, e.g. with my idmap.ldb setting, ADUC? --Mark
On Thu, 14 Jun 2018 20:10:03 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> On Thu, 14 Jun 2018 21:37:58 +0100 Rowland Penny wrote: > > > > On Thu, 14 Jun 2018 16:03:35 -0400 > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > Nevertheless, 'ls' does give names though I don't seem to have > > > either libnss-winbind or libpam-winbind files on my AD/DC. > > > > I keep forgetting that you use slackware, I suppose it uses > > something different, but do you have any file like: > > libnss_winbind.so.2 > > Yes, I have: > > -rwxr-xr-x 1 root root 13928 2015-04-17 > 12:46:33 /usr/lib64/pppd/2.4.7/winbind.so -rwxr-xr-x 1 root root > 47864 2016-06-23 18:40:38 /usr/lib64/kde4/kgreet_winbind.so > -rwxr-xr-x 1 root root 1307104 2018-06-10 > 22:37:16 /usr/lib64/python2.7/site-packages/samba/dcerpc/winbind.so > -rwxr-xr-x 1 root root 14112 2018-06-10 > 22:37:16 /usr/lib64/libnss_winbind.so.2 lrwxrwxrwx 1 root root 19 > 2018-06-10 22:39:17 /usr/lib64/libnss_winbind.so -> > libnss_winbind.so.2 > > Might it be prudent to remove (or rename) the lib modules from 2015 > and 2016? Perhaps the lib search order is picking up the wrong one.Unless something strange is going on (and I don't think it is), you have the correct links, the others are for something else.> > > > Circling back to the OP, with 4.4.16 I got: > > > > > > > ls -l > > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/ > > > total 16 > > > drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22 > > > Microsoft/ -rwxrwx--- 1 BUILTIN\administrators users 958 > > > 2014-09-13 04:01 Registry.pol* drwxrwx--- 4 > > > BUILTIN\administrators users 4096 2014-09-13 03:22 Scripts/ > > > > > > Now, with 4.8.2, doing the same ls gives me: > > > > > > > ls -l > > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/ > > > total 16 > > > drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/ > > > -rwxrwx--- 1 3000000 users 958 2014-09-13 04:01 Registry.pol* > > > drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/ > > > > > > I'm still not sure I've gleaned an answer. I'll check sam.ldb and > > > imap.ldb for clues. > > > For some reason, nsswitch (and/or idmap.ldb) isn't mapping > > '3000000' to 'Administrators' > > ... but it used to with 4.4.16 ... > > in my idmap.ldb I have only: > > # record 71 > dn: CN=S-1-5-32-544 > cn: S-1-5-32-544 > objectClass: sidMap > objectSid: S-1-5-32-544 > type: ID_TYPE_BOTH > xidNumber: 3000000 > distinguishedName: CN=S-1-5-32-544So '3000000' is 'Administrators' and is both a group and a user.> > in sam.ldb for objectSID: S-1-5-32-544, I have: > > # record 163 > dn: CN=Administrators,CN=Builtin,DC=hprs,DC=local > objectClass: top > objectClass: group > cn: Administrators > description: Administrators have complete and unrestricted access to > the compu ter/domain > instanceType: 4 > whenCreated: 20140903044615.0Z > uSNCreated: 3562 > name: Administrators > objectGUID: 06970ceb-a0bb-4d7a-b878-51f54ac210bd > objectSid: S-1-5-32-544 > adminCount: 1 > sAMAccountName: Administrators > sAMAccountType: 536870912 > systemFlags: -1946157056 > groupType: -2147483643 > objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hprs,DC=local > isCriticalSystemObject: TRUE > whenChanged: 20150825012848.0Z > uSNChanged: 6468 > member: CN=Enterprise Admins,CN=Users,DC=hprs,DC=local > member: CN=Domain Admins,CN=Users,DC=hprs,DC=local > member: CN=Administrator,CN=Users,DC=hprs,DC=local > distinguishedName: CN=Administrators,CN=Builtin,DC=hprs,DC=local >So no uidNumber or gidNumber.> Is there someplace else I can look for this? In ADUC for the > 'Administrator' I have nothing in NIS Domain, UID or Primary Group > name/GID. Should I for this user, or is 'Administrator' "special"?Good, you shouldn't have, if you look in idmap.ldb, you will find that RID '500' is mapped to 'xidNumber' '0'.> > AH-Ha, the only place that maps an ID to a user AND a group is > > idmap.ldb, where it get 'ID_TYPE_BOTH'. Have you given > > 'Administrators' a uidNumber ? or is it being mapped to > > 'ID_TYPE_UID' in idmap.ldb ? > > As shown in my idmap.ldb entry, it has "ID_TYPE_BOTH". A clue? >Not really, more a poser, everything looks okay, but it still isn't working fully, perhaps time to run 'net cache flush' again ?> > > > > And Louis also uses 'acl_xattr:ignore system acls = yes', > > > > > > How do you know that? I don't see that listed in Louis' message? > > > > I just do ;-) > > > > Try reading 'man vfs_acl_xattr' > > The man page says in part: > > "When set to yes, a best effort mapping from/to the POSIX ACL layer > will not be done by this module. The default is no, which means that > Samba keeps setting and evaluating both the system ACLs and the NT > ACLs. This is better if you need your system ACLs be set for local > or NFS file access, too. If you only access the data via Samba you > might set this to yes to achieve better NT ACL compatibility." > > then lists additional settings for file mods if 'yes' is selected. I > assume mine is set to the default 'no'. So is this something I should > fiddle with or is it no big deal?From my understanding, when 'acl_xattr:ignore system acls = no' is set (the default), Samba will attempt to change the ACLs when set from Windows, it will use 'setfacl' whilst doing this, it will also write the extended attributes to security.NTACL. If 'no' is changed to 'yes', it does what it says on the tin, the Unix ACLs are ignored, you can change them on the Unix side to whatever you like, but from the Windows side, they will be ignored as if they were not there. From the perspective of whether you should set it or not, I would tend towards fixing your current problem first and decide later. Rowland
On Fri, 15 Jun 2018 08:08:53 +0100 Rowland Penny <rpenny at samba.org> wrote:> > On Thu, 14 Jun 2018 20:10:03 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > On Thu, 14 Jun 2018 21:37:58 +0100 Rowland Penny wrote: > > > > > > On Thu, 14 Jun 2018 16:03:35 -0400 > > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > > > Nevertheless, 'ls' does give names though I don't seem to have > > > > either libnss-winbind or libpam-winbind files on my AD/DC. > > > > > > I keep forgetting that you use slackware, I suppose it uses > > > something different, but do you have any file like: > > > libnss_winbind.so.2 > > > > Yes, I have: > > > > -rwxr-xr-x 1 root root 13928 2015-04-17 > > 12:46:33 /usr/lib64/pppd/2.4.7/winbind.so -rwxr-xr-x 1 root root > > 47864 2016-06-23 18:40:38 /usr/lib64/kde4/kgreet_winbind.so > > -rwxr-xr-x 1 root root 1307104 2018-06-10 > > 22:37:16 /usr/lib64/python2.7/site-packages/samba/dcerpc/winbind.so > > -rwxr-xr-x 1 root root 14112 2018-06-10 > > 22:37:16 /usr/lib64/libnss_winbind.so.2 lrwxrwxrwx 1 root root 19 > > 2018-06-10 22:39:17 /usr/lib64/libnss_winbind.so -> > > libnss_winbind.so.2 > > > > Might it be prudent to remove (or rename) the lib modules from 2015 > > and 2016? Perhaps the lib search order is picking up the wrong one. > > Unless something strange is going on (and I don't think it is), you > have the correct links, the others are for something else. > > > > > > > Circling back to the OP, with 4.4.16 I got: > > > > > > > > > ls -l > > > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/ > > > > total 16 > > > > drwxrwx--- 3 BUILTIN\administrators users 4096 2014-09-13 03:22 > > > > Microsoft/ -rwxrwx--- 1 BUILTIN\administrators users 958 > > > > 2014-09-13 04:01 Registry.pol* drwxrwx--- 4 > > > > BUILTIN\administrators users 4096 2014-09-13 03:22 Scripts/ > > > > > > > > Now, with 4.8.2, doing the same ls gives me: > > > > > > > > > ls -l > > > > /var/lib/samba/sysvol/hprs.local/policies/\{B78D19CB-914B-48F4-AA63-FD8708A553D7\}/Machine/ > > > > total 16 > > > > drwxrwx--- 3 3000000 users 4096 2014-09-13 03:22 Microsoft/ > > > > -rwxrwx--- 1 3000000 users 958 2014-09-13 04:01 Registry.pol* > > > > drwxrwx--- 4 3000000 users 4096 2014-09-13 03:22 Scripts/ > > > > > > > > I'm still not sure I've gleaned an answer. I'll check sam.ldb and > > > > imap.ldb for clues. > > > > > For some reason, nsswitch (and/or idmap.ldb) isn't mapping > > > '3000000' to 'Administrators' > > > > ... but it used to with 4.4.16 ... > > > > in my idmap.ldb I have only: > > > > # record 71 > > dn: CN=S-1-5-32-544 > > cn: S-1-5-32-544 > > objectClass: sidMap > > objectSid: S-1-5-32-544 > > type: ID_TYPE_BOTH > > xidNumber: 3000000 > > distinguishedName: CN=S-1-5-32-544 > > So '3000000' is 'Administrators' and is both a group and a user. > > > > > in sam.ldb for objectSID: S-1-5-32-544, I have: > > > > # record 163 > > dn: CN=Administrators,CN=Builtin,DC=hprs,DC=local > > objectClass: top > > objectClass: group > > cn: Administrators > > description: Administrators have complete and unrestricted access to > > the compu ter/domain > > instanceType: 4 > > whenCreated: 20140903044615.0Z > > uSNCreated: 3562 > > name: Administrators > > objectGUID: 06970ceb-a0bb-4d7a-b878-51f54ac210bd > > objectSid: S-1-5-32-544 > > adminCount: 1 > > sAMAccountName: Administrators > > sAMAccountType: 536870912 > > systemFlags: -1946157056 > > groupType: -2147483643 > > objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hprs,DC=local > > isCriticalSystemObject: TRUE > > whenChanged: 20150825012848.0Z > > uSNChanged: 6468 > > member: CN=Enterprise Admins,CN=Users,DC=hprs,DC=local > > member: CN=Domain Admins,CN=Users,DC=hprs,DC=local > > member: CN=Administrator,CN=Users,DC=hprs,DC=local > > distinguishedName: CN=Administrators,CN=Builtin,DC=hprs,DC=local > > > > So no uidNumber or gidNumber. > > > Is there someplace else I can look for this? In ADUC for the > > 'Administrator' I have nothing in NIS Domain, UID or Primary Group > > name/GID. Should I for this user, or is 'Administrator' "special"? > > Good, you shouldn't have, if you look in idmap.ldb, you will find that > RID '500' is mapped to 'xidNumber' '0'. > > > > AH-Ha, the only place that maps an ID to a user AND a group is > > > idmap.ldb, where it get 'ID_TYPE_BOTH'. Have you given > > > 'Administrators' a uidNumber ? or is it being mapped to > > > 'ID_TYPE_UID' in idmap.ldb ? > > > > As shown in my idmap.ldb entry, it has "ID_TYPE_BOTH". A clue? > > > > Not really, more a poser, everything looks okay, but it still isn't > working fully, perhaps time to run 'net cache flush' again ?ran 'net cache flush', then restarted samba. No change. So, libnss_winbind.so is correct, idmap.ldb is correct, sam.ldb is correct, ADUC is correct, yet still getting only UID on 'ls' for BUILTIN\administrators. I'm Stumped! Is there anything else to check/try? [acl_xattr stuff deleted] --Mark
Mark Foley
2018-Nov-10 03:07 UTC
[Samba] How to Samba share with mixed Active Directory 'Classic' authentication
I have a Samba4 AD Domain with one of the file servers as a domain member. This file server host the main network shares for the domain. Currently, Windows users mapping this share are authenticated using their AD domain credentials. That all works just fine. What I want to do now is ALSO allow a user on a network host which IS NOT a domain member, and the user is not domain users to also map/mount this share, possibly via the "Classic" 'security = user' mechanism. Can this be done? That is, can both mechanisms be accomodated somehow? THX --Mark Below is the current smb.conf with 'security = ADS' and various idmaps. [global] netbios name = OHPRSSTORAGE # workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2 # workgroup = WORKGROUP # server string is the equivalent of the NT Description field server string = HPRS NAS server domain master = no prefered master = no realm = HPRS.LOCAL workgroup = HPRS usershare allow guests = Yes usershare max shares = 10 security = ADS template shell = /bin/bash max log size = 10000 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config HPRS:backend = ad idmap config HPRS:schema_mode = rfc2307 idmap config HPRS:range = 10000-10099 winbind enum groups = Yes winbind enum users = Yes winbind nss info = rfc2307 winbind offline logon = Yes winbind refresh tickets = Yes winbind use default domain = Yes [public] comment = OHPRS main file and document repository path = /mnt/RAID/public # for the following settings see: https://www.samba.org/samba/docs/using_samba/ch08.html hide dot files = yes # set o+x to mark a file as hidden (doesn't work for folders) map hidden = yes # User's outlook .pst files are in a folder named "outlook" hide files = /Outlook/outlook/~*/ # locking: https://www.samba.org/samba/docs/using_samba/ch08.html veto oplock files = /OfficeCalendar.pst/ inherit acls = yes valid users = @"domain users" # guest ok = yes # guest only = yes locking = yes public = yes writeable = yes browseable= yes printable = no create mask = 0660 force user = ohprso force group = ohprs force create mode = 0660 directory mask = 2771