samba - Sep 2018 - Cannot access HOME folder after upgrading to 4.8 from 4.6

Hello-

I upgraded Samba from 4.6 to 4.8 on a FreeBSD 11.2 server. After the upgrade,
users cannot access the HOME folder share but they can access other shares just
fine.

I am using the RID backend on this member server that connects to Windows-based
domain controllers. I apologize for the lengthy smb4.conf but here it is:


#======================= Global Settings
====================================[global]
# This would be your AD Domain (kerberos realm)
realm = DAWNSIGN.COM
security = ADS
encrypt passwords = yes
workgroup = EXAMPLE
server string = 
hosts allow = 192.168.xxx. 192.168.xxx. 127.
name resolve order = lmhosts bcast

socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE

# Uncomment this if you want 139 open, but why would you? We're doing SMB
over
# TCP only. No NetBIOS here
smb ports = 445
disable netbios = Yes

# ver 4.1 - RID backend
idmap config EXAMPLE:range = 50001-60000
idmap config EXAMPLE:default = yes 
idmap config EXAMPLE:backend = rid 
idmap config *:range = 1000-50000
idmap config *:backend = tdb

winbind separator = -
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind cache time = 10
winbind offline logon = yes
winbind refresh tickets = yes 
kerberos method = secrets and keytab
dedicated keytab file = /usr/local/etc/krb5.keytab

winbind nss info = rfc2307
winbind scan trusted domains = yes

# ver 4.1
client ldap sasl wrapping = seal
directory name cache size = 0

# workaround to constant error messages in log.192.168.xxx.175
# prevent winbindd from changing machine password
# https://lists.samba.org/archive/samba/2016-September/203338.html
machine password timeout = 0

#################
### Member Server
#################
# Browser settings
preferred master = no
local master = no
domain master = no

#= Disable Printing/Cups ============load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

# Change this to where you want the samba log
log file = /var/log/samba4/log.%m
# Debug goes from 1 to 10 * 10 way too much info for me to understand ;)
#debug level = 10
log level = 2
#log level = 0 


# Settings to enhance performance:
strict locking = no
read raw = yes
write raw = yes
#oplocks = yes
max xmit = 65535
deadtime = 15
getwd cache = yes
max connections = 65535
max open files = 65535

use sendfile = true 
aio read size = 16384
# Use asynchronous I/O for reads bigger than 16KB request size
aio write size = 16384           
# Use asynchronous I/O for writes bigger than 16KB request size
#aio write behind = true
min receivefile size = 16384
strict sync = no
sync always = no
# End of performance section
	
#assuming you installed bash - change as needed
template shell = /bin/bash
guest account = nobody 

admin users = EXAMPLE-user EXAMPLE-admin @"EXAMPLE-domain admins"

# ZFS stuff
read only = no
inherit permissions = Yes
# allow ZFS to handle inheritance
inherit acls = No
inherit owner = Yes
force unknown acl user = No
store dos attributes = yes
map read only = no
map acl inherit = yes
 
vfs objects  = zfsacl acl_xattr audit netatalk
nfs4:mode    = special
nfs4:acedup  = merge
nfs4:chown   = yes

#============================ Share Definitions =============================#
Share - man smb.conf for details

[public]
   comment = test share
#	this share resides on an UFS filesystem!
   path = /zdata/public
   public = yes
   writable = yes
   printable = no
   write list = @"EXAMPLE-domain admins"

[apps]
   comment = Folder for applications
   path = /zdata/apps
   valid users = @"EXAMPLE-domain admins" @"EXAMPLE-domain
users"
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash
Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[clients]
   comment = Folder for Internet client software for domain admins' use
   path = /zdata/clients
   valid users = @"EXAMPLE-domain admins" @"EXAMPLE-domain
users"
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash
Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[downloads]
   comment = Folder for downloads for domain admins' use
   path = /zdata/downloads
   valid users = @"EXAMPLE-domain admins"
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash
Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[groups]
   comment = Departmental folders
   path = /zdata/groups
   valid users = "@EXAMPLE-domain users" @"EXAMPLE-domain
admins"
   writable = yes
   printable = no
   force create mode = 0770
   force directory mode = 0770
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
Items/
   delete veto files = yes
   veto files = /lost+found/Network Trash
Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
#   vfs objects = zfsacl, shadow_copy2, full_audit
   vfs objects = zfsacl, shadow_copy2
   shadow: snapdir = .zfs/snapshot
   shadow: format = %Y-%m-%dT%H:%M:%S
   shadow: snapdirseverywhere = yes 
   shadow: sort = desc
   shadow: localtime = no
#   full_audit:prefix = %u|%I
#   full_audit:success = chflags chmod chmod_acl chown mkdir rename rmdir unlink
write pwrite pwrite_send pwrite_recv
#   full_audit:failure = none
#   full_audit:facility = LOCAL7
#   full_audit:priority = ALERT

[mac_software]
   comment = repository for all Mac OSX-related software
   path = /zdata/mac_software
   valid users = @EXAMPLE-production @"EXAMPLE-domain admins"
@EXAMPLE-marketing
   writable = yes
   printable = no
   force create mode = 0770
   force directory mode = 0770
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
Items/
   delete veto files = yes
   veto files = /lost+found/Network Trash
Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[ops]
   comment = Folder for the old OPS files
   path = /zdata/ops
   valid users = @EXAMPLE-sales @"EXAMPLE-domain admins"
   writeable = yes
   printable =no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash
Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[payroll]
   comment = Folder for sensitive payroll functions
   path = /zdata/payroll
   valid users = @EXAMPLE-payroll "@EXAMPLE-domain admins"
   browseable = yes
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash
Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[perform]
   comment = Folder for purchase orders using Perform software
   path = /zdata/apps/PERFORM
   valid users = @EXAMPLE-finance @"EXAMPLE-domain admins"
   writeable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash
Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[pye]
   comment = Folder for year-end financial backups
   path = /zdata/pye
   valid users = @EXAMPLE-finance @"EXAMPLE-domain admins"
   writeable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash
Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[reports]
   comment = Folder for CRW reports
   path = /zdata/reports
   valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain
admins"
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash
Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[shared]
   comment = Folder for intra-company sharing
   path = /zdata/shared
   valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain
admins"
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash
Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[star]
   comment = Folder for old Starship shipping data
   path = /zdata/star
   valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain
admins"
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash
Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[tm]
   comment = Folder for old TeleMagic data
   path = /zdata/tm
   valid users = @"EXAMPLE-domain admins"
#   read list = @"EXAMPLE-domain users"
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash
Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[x-groups]
   comment = Old Groups Folder for intra-company sharing
   path = /zdata/x-groups
   valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain
admins"
   writable = yes
   printable = no
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
Items/
   delete veto files = Yes
   veto files = /lost+found/Network Trash
Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   inherit permissions = Yes
   inherit owner = Yes
   map archive = No
   vfs objects = zfsacl

[profiles]
   comment = Users profiles
#   path = /zdata/profiles/%U
   path = /zdata/profiles
#   guest ok = no
   browseable = no
   read only = no
   force create mode = 0600
   force directory mode = 0700
   create mask = 0600
   directory mask = 0700
   valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
   store dos attributes = Yes
# commenting this out for v4.8
#   profile acls = yes
   csc policy = disable
#   inherit permissions = Yes
#   inherit owner = Yes
#   delete veto files = Yes
#   veto files = /lost+found/Network Trash
Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
#   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
Items/
#   map archive = No
   vfs objects = zfsacl
   force user = EXAMPLE-%U


# uncomment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username

[home]
   comment = Home directories for AD users
   path = /zdata/home
#   browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
   read only = no   
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server. Un-comment the following parameter
# to make sure that only "username" can connect to \\server\username
# This might need tweaking when using external authentication schemes
##   valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
   valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
#   inherit permissions = Yes
#   inherit owner = Yes
   delete veto files = Yes
   veto files = /lost+found/Network Trash
Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
   hide files = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
Items/$RECYCLE.BIN/
#   map archive = No  
#   map readonly = no 
   vfs objects = zfsacl, shadow_copy2, full_audit
   full_audit:prefix = %u|%I
   full_audit:success = chflags chmod chmod_acl chown mkdir rename rmdir unlink
write pwrite pwrite_send pwrite_recv
   full_audit:failure = none
   full_audit:facility = LOCAL7
   full_audit:priority = ALERT
   shadow: snapdir = .zfs/snapshot
   shadow: format = %Y-%m-%dT%H:%M:%S
   shadow: snapdirseverywhere = yes 
   shadow: sort = desc
   shadow: localtime = no



I have several other SMB servers there were upgraded to 4.8 and I am able to
enumerate users and groups on all of these servers except this one. I cannot
enumerate groups and I am mystified as to why I cannot.

Also is the variable DSP-%U still supported? I have tried "EXAMPLE-Domain
Users" in place of EXAMPLE-%U. It doesn't work.

Is the vfs object full_audit still supported by 4.8?

~Doug

On Mon, 17 Sep 2018 19:00:38 +0000
Doug Sampson via samba <samba at lists.samba.org> wrote:
> Hello-
> 
> I upgraded Samba from 4.6 to 4.8 on a FreeBSD 11.2 server. After the
> upgrade, users cannot access the HOME folder share but they can
> access other shares just fine.
> 
> I am using the RID backend on this member server that connects to
> Windows-based domain controllers. I apologize for the lengthy
> smb4.conf but here it is:
> 
> 
> #======================= Global Settings
> ===================================== [global]
> # This would be your AD Domain (kerberos realm)
> realm = DAWNSIGN.COM
> security = ADS
> encrypt passwords = yes
> workgroup = EXAMPLE
> server string = 
> hosts allow = 192.168.xxx. 192.168.xxx. 127.
> name resolve order = lmhosts bcast
> 
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
> 
> # Uncomment this if you want 139 open, but why would you? We're doing
> SMB over # TCP only. No NetBIOS here
> smb ports = 445
> disable netbios = Yes
> 
> # ver 4.1 - RID backend
> idmap config EXAMPLE:range = 50001-60000
> idmap config EXAMPLE:default = yes 
> idmap config EXAMPLE:backend = rid 
> idmap config *:range = 1000-50000
> idmap config *:backend = tdb
> 
> winbind separator = -
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind nested groups = Yes
> winbind cache time = 10
> winbind offline logon = yes
> winbind refresh tickets = yes 
> kerberos method = secrets and keytab
> dedicated keytab file = /usr/local/etc/krb5.keytab
> 
> winbind nss info = rfc2307
> winbind scan trusted domains = yes
> 
> # ver 4.1
> client ldap sasl wrapping = seal
> directory name cache size = 0
> 
> # workaround to constant error messages in log.192.168.xxx.175
> # prevent winbindd from changing machine password
> # https://lists.samba.org/archive/samba/2016-September/203338.html
> machine password timeout = 0
> 
> #################
> ### Member Server
> #################
> # Browser settings
> preferred master = no
> local master = no
> domain master = no
> 
> #= Disable Printing/Cups ============> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> 
> # Change this to where you want the samba log
> log file = /var/log/samba4/log.%m
> # Debug goes from 1 to 10 * 10 way too much info for me to
> understand ;) #debug level = 10
> log level = 2
> #log level = 0 
> 
> 
> # Settings to enhance performance:
> strict locking = no
> read raw = yes
> write raw = yes
> #oplocks = yes
> max xmit = 65535
> deadtime = 15
> getwd cache = yes
> max connections = 65535
> max open files = 65535
> 
> use sendfile = true 
> aio read size = 16384
> # Use asynchronous I/O for reads bigger than 16KB request size
> aio write size = 16384           
> # Use asynchronous I/O for writes bigger than 16KB request size
> #aio write behind = true
> min receivefile size = 16384
> strict sync = no
> sync always = no
> # End of performance section
> 	
> #assuming you installed bash - change as needed
> template shell = /bin/bash
> guest account = nobody 
> 
> admin users = EXAMPLE-user EXAMPLE-admin @"EXAMPLE-domain admins"
> 
> # ZFS stuff
> read only = no
> inherit permissions = Yes
> # allow ZFS to handle inheritance
> inherit acls = No
> inherit owner = Yes
> force unknown acl user = No
> store dos attributes = yes
> map read only = no
> map acl inherit = yes
>  
> vfs objects  = zfsacl acl_xattr audit netatalk
> nfs4:mode    = special
> nfs4:acedup  = merge
> nfs4:chown   = yes
> 
> #============================ Share Definitions
> ============================== # Share - man smb.conf for details
> 
> [public]
>    comment = test share
> #	this share resides on an UFS filesystem!
>    path = /zdata/public
>    public = yes
>    writable = yes
>    printable = no
>    write list = @"EXAMPLE-domain admins"
> 
> [apps]
>    comment = Folder for applications
>    path = /zdata/apps
>    valid users = @"EXAMPLE-domain admins" @"EXAMPLE-domain
users"
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [clients]
>    comment = Folder for Internet client software for domain admins'
> use path = /zdata/clients
>    valid users = @"EXAMPLE-domain admins" @"EXAMPLE-domain
users"
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [downloads]
>    comment = Folder for downloads for domain admins' use
>    path = /zdata/downloads
>    valid users = @"EXAMPLE-domain admins"
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [groups]
>    comment = Departmental folders
>    path = /zdata/groups
>    valid users = "@EXAMPLE-domain users" @"EXAMPLE-domain
admins"
>    writable = yes
>    printable = no
>    force create mode = 0770
>    force directory mode = 0770
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
> #   vfs objects = zfsacl, shadow_copy2, full_audit
>    vfs objects = zfsacl, shadow_copy2
>    shadow: snapdir = .zfs/snapshot
>    shadow: format = %Y-%m-%dT%H:%M:%S
>    shadow: snapdirseverywhere = yes 
>    shadow: sort = desc
>    shadow: localtime = no
> #   full_audit:prefix = %u|%I
> #   full_audit:success = chflags chmod chmod_acl chown mkdir rename
> rmdir unlink write pwrite pwrite_send pwrite_recv #
> full_audit:failure = none #   full_audit:facility = LOCAL7
> #   full_audit:priority = ALERT
> 
> [mac_software]
>    comment = repository for all Mac OSX-related software
>    path = /zdata/mac_software
>    valid users = @EXAMPLE-production @"EXAMPLE-domain admins"
> @EXAMPLE-marketing writable = yes
>    printable = no
>    force create mode = 0770
>    force directory mode = 0770
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [ops]
>    comment = Folder for the old OPS files
>    path = /zdata/ops
>    valid users = @EXAMPLE-sales @"EXAMPLE-domain admins"
>    writeable = yes
>    printable =no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [payroll]
>    comment = Folder for sensitive payroll functions
>    path = /zdata/payroll
>    valid users = @EXAMPLE-payroll "@EXAMPLE-domain admins"
>    browseable = yes
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [perform]
>    comment = Folder for purchase orders using Perform software
>    path = /zdata/apps/PERFORM
>    valid users = @EXAMPLE-finance @"EXAMPLE-domain admins"
>    writeable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [pye]
>    comment = Folder for year-end financial backups
>    path = /zdata/pye
>    valid users = @EXAMPLE-finance @"EXAMPLE-domain admins"
>    writeable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [reports]
>    comment = Folder for CRW reports
>    path = /zdata/reports
>    valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain
admins"
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [shared]
>    comment = Folder for intra-company sharing
>    path = /zdata/shared
>    valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain
admins"
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [star]
>    comment = Folder for old Starship shipping data
>    path = /zdata/star
>    valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain
admins"
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [tm]
>    comment = Folder for old TeleMagic data
>    path = /zdata/tm
>    valid users = @"EXAMPLE-domain admins"
> #   read list = @"EXAMPLE-domain users"
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [x-groups]
>    comment = Old Groups Folder for intra-company sharing
>    path = /zdata/x-groups
>    valid users = @"EXAMPLE-domain users" @"EXAMPLE-domain
admins"
>    writable = yes
>    printable = no
>    hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> delete veto files = Yes veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ inherit
> permissions = Yes inherit owner = Yes
>    map archive = No
>    vfs objects = zfsacl
> 
> [profiles]
>    comment = Users profiles
> #   path = /zdata/profiles/%U
>    path = /zdata/profiles
> #   guest ok = no
>    browseable = no
>    read only = no
>    force create mode = 0600
>    force directory mode = 0700
>    create mask = 0600
>    directory mask = 0700
>    valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
>    store dos attributes = Yes
> # commenting this out for v4.8
> #   profile acls = yes
>    csc policy = disable
> #   inherit permissions = Yes
> #   inherit owner = Yes
> #   delete veto files = Yes
> #   veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ #   hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary Items/
> #   map archive = No vfs objects = zfsacl
>    force user = EXAMPLE-%U
> 
> 
> # uncomment the following (and tweak the other settings below to suit)
> # to enable the default home directory shares. This will share each
> # user's home directory as \\server\username
> 
> [home]
>    comment = Home directories for AD users
>    path = /zdata/home
> #   browseable = no
> # By default, the home directories are exported read-only. Change the
> # next parameter to 'no' if you want to be able to write to them.
>    read only = no   
> # File creation mask is set to 0700 for security reasons. If you want
> to # create files with group=rw permissions, set next parameter to
> 0775. create mask = 0700
> # Directory creation mask is set to 0700 for security reasons. If you
> want to # create dirs. with group=rw permissions, set next parameter
> to 0775. directory mask = 0700
> # By default, \\server\username shares can be connected to by anyone
> # with access to the samba server. Un-comment the following parameter
> # to make sure that only "username" can connect to
\\server\username
> # This might need tweaking when using external authentication schemes
> ##   valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
>    valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
> #   inherit permissions = Yes
> #   inherit owner = Yes
>    delete veto files = Yes
>    veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/ hide files
> = /_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
> Items/$RECYCLE.BIN/ #   map archive = No #   map readonly = no 
>    vfs objects = zfsacl, shadow_copy2, full_audit
>    full_audit:prefix = %u|%I
>    full_audit:success = chflags chmod chmod_acl chown mkdir rename
> rmdir unlink write pwrite pwrite_send pwrite_recv full_audit:failure
> = none full_audit:facility = LOCAL7
>    full_audit:priority = ALERT
>    shadow: snapdir = .zfs/snapshot
>    shadow: format = %Y-%m-%dT%H:%M:%S
>    shadow: snapdirseverywhere = yes 
>    shadow: sort = desc
>    shadow: localtime = no
> 
> 
> 
> I have several other SMB servers there were upgraded to 4.8 and I am
> able to enumerate users and groups on all of these servers except
> this one. I cannot enumerate groups and I am mystified as to why I
> cannot.
Why do you feel you need to enumerate groups ?
What do you get from enumerating groups ?
I take it that 'getent group agroup' works

Having said all that, there have been changes that may be causing your
problem, a user needs to be logged in before full group membership is
shown. 
> 
> Also is the variable DSP-%U still supported? I have tried
> "EXAMPLE-Domain Users" in place of EXAMPLE-%U. It doesn't
work.
It wouldn't ;-)
The 'U' is short for Username and Domain Users isn't a user.
You could try '%G'
> 
> Is the vfs object full_audit still supported by 4.8?
Yes

Rowland

> Hello-
> 
> I upgraded Samba from 4.6 to 4.8 on a FreeBSD 11.2 server. After the
> upgrade, users cannot access the HOME folder share but they can access
> other shares just fine.
> 
> I am using the RID backend on this member server that connects to Windows-
> based domain controllers. I apologize for the lengthy smb4.conf but here
> it is:
> 
[ ...snip... ]
> # uncomment the following (and tweak the other settings below to suit)
> # to enable the default home directory shares. This will share each
> # user's home directory as \\server\username
> 
> [home]
>    comment = Home directories for AD users
>    path = /zdata/home
> #   browseable = no
> # By default, the home directories are exported read-only. Change the
> # next parameter to 'no' if you want to be able to write to them.
>    read only = no
> # File creation mask is set to 0700 for security reasons. If you want to
> # create files with group=rw permissions, set next parameter to 0775.
>    create mask = 0700
> # Directory creation mask is set to 0700 for security reasons. If you want
> to
> # create dirs. with group=rw permissions, set next parameter to 0775.
>    directory mask = 0700
> # By default, \\server\username shares can be connected to by anyone
> # with access to the samba server. Un-comment the following parameter
> # to make sure that only "username" can connect to
\\server\username
> # This might need tweaking when using external authentication schemes
> ##   valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
>    valid users = EXAMPLE-%U @"EXAMPLE-domain admins"
> #   inherit permissions = Yes
> #   inherit owner = Yes
>    delete veto files = Yes
>    veto files = /lost+found/Network Trash
> Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
>    hide files >
/_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
> Items/$RECYCLE.BIN/
> #   map archive = No
> #   map readonly = no
>    vfs objects = zfsacl, shadow_copy2, full_audit
>    full_audit:prefix = %u|%I
>    full_audit:success = chflags chmod chmod_acl chown mkdir rename rmdir
> unlink write pwrite pwrite_send pwrite_recv
>    full_audit:failure = none
>    full_audit:facility = LOCAL7
>    full_audit:priority = ALERT
>    shadow: snapdir = .zfs/snapshot
>    shadow: format = %Y-%m-%dT%H:%M:%S
>    shadow: snapdirseverywhere = yes
>    shadow: sort = desc
>    shadow: localtime = no
> 
> 
> 
> I have several other SMB servers there were upgraded to 4.8 and I am able
> to enumerate users and groups on all of these servers except this one. I
> cannot enumerate groups and I am mystified as to why I cannot.
> 
> Also is the variable DSP-%U still supported? I have tried
"EXAMPLE-Domain
> Users" in place of EXAMPLE-%U. It doesn't work.
> 
> Is the vfs object full_audit still supported by 4.8?
> 
I substituted EXAMPLE-%U with "EXAMPLE-domain users" and now users are
able to access their home folders. Since each user's home folders have had
user security restrictions applied at the file level, I am comfortable with the
level of security here.

But why the change??? I looked at both 4.7 and 4.8 release notes and did not see
anything related to this. Has this been deprecated?

~Doug

On Mon, 17 Sep 2018 20:50:13 +0000
Doug Sampson via samba <samba at lists.samba.org> wrote:
> > Hello-
> > 
> > I upgraded Samba from 4.6 to 4.8 on a FreeBSD 11.2 server. After the
> > upgrade, users cannot access the HOME folder share but they can
> > access other shares just fine.
> > 
> > I am using the RID backend on this member server that connects to
> > Windows- based domain controllers. I apologize for the lengthy
> > smb4.conf but here it is:
> > 
> 
> [ ...snip... ]
> 
> > # uncomment the following (and tweak the other settings below to
> > suit) # to enable the default home directory shares. This will
> > share each # user's home directory as \\server\username
> > 
> > [home]
> >    comment = Home directories for AD users
> >    path = /zdata/home
> > #   browseable = no
> > # By default, the home directories are exported read-only. Change
> > the # next parameter to 'no' if you want to be able to write
to
> > them. read only = no
> > # File creation mask is set to 0700 for security reasons. If you
> > want to # create files with group=rw permissions, set next
> > parameter to 0775. create mask = 0700
> > # Directory creation mask is set to 0700 for security reasons. If
> > you want to
> > # create dirs. with group=rw permissions, set next parameter to
> > 0775. directory mask = 0700
> > # By default, \\server\username shares can be connected to by anyone
> > # with access to the samba server. Un-comment the following
> > parameter # to make sure that only "username" can connect to
> > \\server\username # This might need tweaking when using external
> > authentication schemes ##   valid users = EXAMPLE-%U
> > @"EXAMPLE-domain admins" valid users = EXAMPLE-%U
@"EXAMPLE-domain
> > admins" #   inherit permissions = Yes
> > #   inherit owner = Yes
> >    delete veto files = Yes
> >    veto files = /lost+found/Network Trash
> > Folder/TheFindByContentFolder/TheVolumeSettingsFolder/
> >    hide files > >
/_*/:*/.*/.AppleDB/.AppleDouble/.bin/.AppleDesktop/Temporary
> > Items/$RECYCLE.BIN/
> > #   map archive = No
> > #   map readonly = no
> >    vfs objects = zfsacl, shadow_copy2, full_audit
> >    full_audit:prefix = %u|%I
> >    full_audit:success = chflags chmod chmod_acl chown mkdir rename
> > rmdir unlink write pwrite pwrite_send pwrite_recv
> >    full_audit:failure = none
> >    full_audit:facility = LOCAL7
> >    full_audit:priority = ALERT
> >    shadow: snapdir = .zfs/snapshot
> >    shadow: format = %Y-%m-%dT%H:%M:%S
> >    shadow: snapdirseverywhere = yes
> >    shadow: sort = desc
> >    shadow: localtime = no
> > 
> > 
> > 
> > I have several other SMB servers there were upgraded to 4.8 and I
> > am able to enumerate users and groups on all of these servers
> > except this one. I cannot enumerate groups and I am mystified as to
> > why I cannot.
> > 
> > Also is the variable DSP-%U still supported? I have tried
> > "EXAMPLE-Domain Users" in place of EXAMPLE-%U. It
doesn't work.
> > 
> > Is the vfs object full_audit still supported by 4.8?
> > 
> 
> I substituted EXAMPLE-%U with "EXAMPLE-domain users" and now
users
> are able to access their home folders. Since each user's home folders
> have had user security restrictions applied at the file level, I am
> comfortable with the level of security here.
> 
> But why the change??? I looked at both 4.7 and 4.8 release notes and
> did not see anything related to this. Has this been deprecated?
> 
> ~Doug
> 
%U is still valid and if you read 'man smb.conf' you will find this:

 %U
   session username (the username that the client wanted, not
   necessarily the same as the one they got).

You could try '%u':

 %u
   username of the current service, if any.

Rowland