samba - Dec 2019 - Building a replacement Samba4 server to replace a Samba3 system, running into file rights issues.

Mandi! Rowland penny via samba
  In chel di` si favelave...
> Do you mean apart from '$((${LOT} + ${LOD}))' should really be
> '$((LOT+LOD))' ?
Apart bashism, this seems not the point:

 root at vdcsv1:~# bash -vx  /tmp/test
 LOT=1
 + LOT=1
 
 LOD=1
 + LOD=1
 
 TMPF=$((${LOT} + ${LOD}))
 + TMPF=2
 echo $TMPF
 + echo 2
 2
 
 TMPF=$((LOT+LOD))
 + TMPF=2
 echo $TMPF
 + echo 2
 2

> I take it that you are calling the function like this: user_is_locked gaio
> try it like this: res=$(user_is_locked gaio)
> change all 'return' to 'echo'
> Then check what "$res" is
I've runm the script manually with 'bash -x', and so i've seen
that LOT
is non zero, while LOD is zero.

But clearly 'LockoutTime' is in the past, and with a duration of
zero... it is still in the past. ;-)


So, i restate the question: how can i determine if account is locked
with an LDAP query?!


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On 03/12/2019 16:51, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
>    In chel di` si favelave...
>
>> Do you mean apart from '$((${LOT} + ${LOD}))' should really be
>> '$((LOT+LOD))' ?
> Apart bashism, this seems not the point:
>
>   root at vdcsv1:~# bash -vx  /tmp/test
>   LOT=1
>   + LOT=1
>   
>   LOD=1
>   + LOD=1
>   
>   TMPF=$((${LOT} + ${LOD}))
>   + TMPF=2
>   echo $TMPF
>   + echo 2
>   2
>   
>   TMPF=$((LOT+LOD))
>   + TMPF=2
>   echo $TMPF
>   + echo 2
>   2
>
>
>> I take it that you are calling the function like this: user_is_locked
gaio
>> try it like this: res=$(user_is_locked gaio)
>> change all 'return' to 'echo'
>> Then check what "$res" is
> I've runm the script manually with 'bash -x', and so i've
seen that LOT
> is non zero, while LOD is zero.
>
> But clearly 'LockoutTime' is in the past, and with a duration of
> zero... it is still in the past. ;-)
>
>
> So, i restate the question: how can i determine if account is locked
> with an LDAP query?!
>
>
> Thanks.
>
I think you are over thinking this ;-)

By default, a user object doesn't have a lockouttime attribute, so isn't
locked out.

If it does have a lockouttime attribute, it can be zero or non zero, if 
it is zero, it isn't locked out. If it is non zero, the account is 
locked out.

So, all you need to do, check for the lockouttime attribute and if found 
and it isn't '0', set it to '0'

Rowland

Mandi! Rowland penny via samba
  In chel di` si favelave...
> I think you are over thinking this ;-)
I'm simply applying the policy... ;-)

	https://docs.microsoft.com/it-it/windows/win32/adschema/a-lockouttime

say at the bottom:

 This attribute value is only reset when the account is logged onto
successfully.
 This means that this value may be non zero, yet the account is not locked out.
 To accurately determine if the account is locked out, you must add the
Lockout-Duration
 to this time and compare the result to the current time, accounting for local
time zones
 and daylight savings time.

> So, all you need to do, check for the lockouttime attribute and if found
and
> it isn't '0', set it to '0'
Better to fire up a bug? Or there's an operational field like
'LockoutExpiration' to test with?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

I am building a Samba4 setup to replace a Samba3 server I built for 
small non profit school back in 2012.

It is running CentOS 6.x, samba version 3.6.23-52.el6_10.? Rather than 
attempt to upgrade this system to Samba4, it makes more sense (to me at 
least) to build a new server and move the data.

Currently I have 2 samba servers running as virtual machines under kvm.? 
One is the AD server, the other is a member server that is running the 
file shares.? The kvm server and the samba servers are all running 
Debian 10, and I am using the default Debian 10 repos for the samba 
packages.

The current problem I am running into are the rights on the shares for 
the users.? When I create a user via aduc, and set the home directory, 
it gets created as it should, but all users can see all the home 
directories, including contents.? I am also running into rights issues 
with the shared directories also.

I can join Windows 10 and 7 computers into AD with out any issues, so I 
am assuming I set something up wrong, either in AD or when I added the 
2nd server for file services.

Config info for the 2 servers follow:

AD server

Collected config? --- 2019-11-30-09:05 -----------

Hostname: srv1
DNS Domain: brec.example.org
FQDN: srv1.brec.example.org
ipaddress: 192.168.15.4

-----------

Kerberos SRV _kerberos._tcp.brec.example.org record verified ok, sample 
output:
Server:??? ??? 192.168.15.4
Address:??? 192.168.15.4#53

_kerberos._tcp.brec.example.org??? service = 0 100 88 srv1.brec.example.org.
Samba is running as an AD DC

-----------
 ?????? Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------


This computer is running Debian 10.2 x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
 ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 ??? inet 127.0.0.1/8 scope host lo
 ??? inet6 ::1/128 scope host
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
state UP group default qlen 1000
 ??? link/ether 52:54:00:0e:ca:e6 brd ff:ff:ff:ff:ff:ff
 ??? inet 192.168.15.4/24 brd 192.168.15.255 scope global enp1s0
 ??? inet6 fe80::5054:ff:fe0e:cae6/64 scope link

-----------
 ?????? Checking file: /etc/hosts

127.0.0.1??? localhost
192.168.15.4??? srv1.brec.example.org srv1

# The following lines are desirable for IPv6 capable hosts
# ::1???? localhost ip6-localhost ip6-loopback
# ff02::1 ip6-allnodes
# ff02::2 ip6-allrouters

-----------

 ?????? Checking file: /etc/resolv.conf

domain brec.example.org
search brec.example.org. example.org.
nameserver 192.168.15.4

-----------

 ?????? Checking file: /etc/krb5.conf

[libdefaults]
 ??? default_realm = BREC.EXAMPLE.ORG
 ??? dns_lookup_realm = false
 ??? dns_lookup_kdc = true

-----------

 ?????? Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:???????? compat files systemd
group:????????? compat files systemd
shadow:???????? compat files
gshadow:??????? files

hosts:????????? files dns
networks:?????? files

protocols:????? db files
services:?????? db files
ethers:???????? db files
rpc:??????????? db files

netgroup:?????? nis

-----------

 ?????? Checking file: /etc/samba/smb.conf

# Global parameters
[global]
 ??? dns forwarder = 192.168.15.1
 ??? netbios name = SRV1
 ??? realm = BREC.EXAMPLE.ORG
 ??? server role = active directory domain controller
 ??? workgroup = BREC
 ??? idmap_ldb:use rfc2307 = yes

 ??? template shell = /bin/bash
 ??? template homedir = /home/%U

[netlogon]
 ??? path = /var/lib/samba/sysvol/brec.example.org/scripts
 ??? read only = No

[sysvol]
 ??? path = /var/lib/samba/sysvol
 ??? read only = No

-----------

BIND_DLZ not detected in smb.conf

-----------

Installed packages:
ii? attr?????????????????????????? 1:2.4.48-4 amd64??????? utilities for 
manipulating filesystem extended attributes
ii? krb5-config??????????????????? 2.6 all????????? Configuration files 
for Kerberos Version 5
ii? krb5-locales?????????????????? 1.17-3 all????????? 
internationalization support for MIT Kerberos
ii? krb5-user????????????????????? 1.17-3 amd64??????? basic programs to 
authenticate using MIT Kerberos
ii? libacl1:amd64????????????????? 2.2.53-4 amd64??????? access control 
list - shared library
ii? libattr1:amd64???????????????? 1:2.4.48-4 amd64??????? extended 
attribute handling - shared library
ii? libgssapi-krb5-2:amd64???????? 1.17-3 amd64??????? MIT Kerberos 
runtime libraries - krb5 GSS-API Mechanism
ii? libkrb5-3:amd64??????????????? 1.17-3 amd64??????? MIT Kerberos 
runtime libraries
ii? libkrb5support0:amd64????????? 1.17-3 amd64??????? MIT Kerberos 
runtime libraries - Support library
ii? libnss-winbind:amd64?????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
Samba nameservice integration plugins
ii? libpam-winbind:amd64?????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
Windows domain authentication integration plugin
ii? libsmbclient:amd64???????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
shared library for communication with SMB/CIFS servers
ii? libwbclient0:amd64???????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
Samba winbind client library
ii? python-samba?????????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
Python bindings for Samba
ii? samba????????????????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
SMB/CIFS file, print, and login server for Unix
ii? samba-common?????????????????? 2:4.9.5+dfsg-5+deb10u1 all????????? 
common files used by both the Samba server and client
ii? samba-common-bin?????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
Samba common files used by both the server and the client
ii? samba-dsdb-modules:amd64?????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
Samba Directory Services Database
ii? samba-libs:amd64?????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
Samba core libraries
ii? samba-vfs-modules:amd64??????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
Samba Virtual FileSystem plugins
ii? smbclient????????????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
command-line SMB/CIFS clients for Unix
ii? winbind??????????????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
service to resolve user and group information from Windows NT servers

-----------


Member server, for file services:

Collected config? --- 2019-11-30-10:16 -----------

Hostname: srv2
DNS Domain: brec.example.org
FQDN: srv2.brec.example.org
ipaddress: 192.168.15.5

-----------

Kerberos SRV _kerberos._tcp.brec.example.org record verified ok, sample 
output:
Server:??? ??? 192.168.15.4
Address:??? 192.168.15.4#53

_kerberos._tcp.brec.example.org??? service = 0 100 88 srv1.brec.example.org.
Samba is running as a Unix domain member

-----------
 ?????? Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------


This computer is running Debian 10.2 x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
 ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 ??? inet 127.0.0.1/8 scope host lo
 ??? inet6 ::1/128 scope host
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
state UP group default qlen 1000
 ??? link/ether 52:54:00:73:02:4b brd ff:ff:ff:ff:ff:ff
 ??? inet 192.168.15.5/24 brd 192.168.15.255 scope global enp1s0
 ??? inet6 fe80::5054:ff:fe73:24b/64 scope link

-----------
 ?????? Checking file: /etc/hosts

127.0.0.1??? localhost
192.168.15.5??? srv2.brec.example.org srv2

# The following lines are desirable for IPv6 capable hosts
# ::1???? localhost ip6-localhost ip6-loopback
# ff02::1 ip6-allnodes
# ff02::2 ip6-allrouters

-----------

 ?????? Checking file: /etc/resolv.conf

domain example.org
search brec.example.org. example.org.
nameserver 192.168.15.4

-----------

 ?????? Checking file: /etc/krb5.conf

[libdefaults]
 ??????? default_realm = BREC.EXAMPLE.ORG
 ??????? dns_lookup_realm = false
 ??????? dns_lookup_kdc = true
 ??? forwardable = true
 ??? proxiable = true
;??? ticket_lifetime = 24h
;??? renew_lifetime = 7d
;??? ccache_type = 4
;
; Enable this one if you have a tight setup where only the user can 
enter the user home dir.
; You might need it with cifs mounts, nfs mounts
;??? ignore_k5login = true


; A note: This is not used for nfs4 but cifs uses it.
; for Windows 2003
;??? default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;??? default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;??? permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;
; for Windows 2008 with AES
 ??? default_tgs_enctypes =? aes256-cts-hmac-sha1-96 
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
 ??? default_tkt_enctypes = aes256-cts-hmac-sha1-96 
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
 ??? permitted_enctypes = aes256-cts-hmac-sha1-96 
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

-----------

 ?????? Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:???????? compat files systemd winbind
group:????????? compat files systemd winbind
shadow:???????? files
gshadow:??????? files

hosts:????????? files dns
networks:?????? files

protocols:????? db files
services:?????? db files
ethers:???????? db files
rpc:??????????? db files

netgroup:?????? nis

-----------

 ?????? Checking file: /etc/samba/smb.conf

# Global parameters
[global]
 ??????? realm = BREC.EXAMPLE.ORG
 ??????? workgroup = BREC
 ??? security = ADS
#
 ??? preferred master = no
 ??? domain master = no
 ??? dedicated keytab file = /etc/krb5.keytab
 ??? kerberos method = secrets and keytab
#
 ??? idmap config * : backend = tdb
 ??? idmap config * : range = 3000-7000
#
 ??? idmap config BREC : backend = ad
 ??? idmap config BREC : schema_mode = rfc2307
 ??? idmap config BREC : range = 10000-999999
# idmap config BREC : unix_nss_info = yes # Only in Samba 4.6+

 ??????? template shell = /bin/bash
 ??????? template homedir = /brecdata/user/%U

# Renew the kerberos tickets
 ??? winbind refresh tickets = yes
# Enable offline logins
 ??? winbind offline logon = yes
# User uid/Gid from AD. (rfc2307)
 ??? winbind nss info = rfc2307
#
# With default domain, wbinfo -u, yes = username, no is SAMBADOM\username
 ??? winbind use default domain = yes
#??? winbind trusted domains only = no

# Keep no in production, set yes when debugging, this slows down your samba.
 ??? winbind enum users? = no
 ??? winbind enum groups = no

# Check depth of nested groups, ! slows down you samba, if to much 
groups depth
# Samba default is 0, i suggest a minimal of 2 in this setup, advices is 4.
 ??? winbind expand groups = 4

# User Administrator workaround, without it you are unable to set privileges
# !Note: When using the AD ID mapping back end, do not set the uidNumber 
attribute for the domain administrator account.
# If the account has the attribute set, the value overrides the local 
UID 0 of the root user and thus the mapping fails.
 ??? username map = /etc/samba/samba_usermapping

# disable usershares creating, when set empty no error log messages.
 ??? usershare path 
# Disable printing completely
 ??? load printers = no
 ??? printing = bsd
 ??? printcap name = /dev/null
 ??? disable spoolss = yes
#
# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
 ??? vfs objects = acl_xattr
 ??? map acl inherit = yes
 ??? store dos attributes = yes
#
# Share Setting Globally
 ??? veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
 ??? hide unreadable = yes
#
######## SHARE DEFINITIONS ##################
[samba$]
 ??? # Used for Administrative things only.
 ??? browseable = yes
 ??? path = /brecdata/samba
 ??? read only = no

[profiles]
 ??? # user profiles folder
 ??? browseable = yes
 ??? path = /brecdata/samba/profiles
 ??? read only = no
 ??? acl_xattr:ignore system acl = yes

[users]
 ??? # user homedirs
 ??? browseable = yes
 ??? path = /brecdata/users
 ??? read only = no
 ??? acl_xattr:ignore system acl = yes

[staff]
 ??? # data share for domain/company
 ??? browseable = yes
 ??? path = /brecdata/staff
 ??? read only = no

[hr]
 ??? # data share for hr files
 ??? browseable = yes
 ??? path = /brecdata/hr
 ??? read only = no

[sysadmin]
 ??? # sysadmin related files
 ??? browseable = yes
 ??? path = /brecdata/sysadmin
 ??? read only = no

-----------

Running as Unix domain member and user.map detected.

Contents of /etc/samba/samba_usermapping

!root = BREC\Administrator BREC\administrator

Server Role is set to :? auto

-----------

Installed packages:
ii? acl??????????????????????????? 2.2.53-4 amd64??????? access control 
list - utilities
ii? attr?????????????????????????? 1:2.4.48-4 amd64??????? utilities for 
manipulating filesystem extended attributes
ii? krb5-config??????????????????? 2.6 all????????? Configuration files 
for Kerberos Version 5
ii? krb5-locales?????????????????? 1.17-3 all????????? 
internationalization support for MIT Kerberos
ii? krb5-user????????????????????? 1.17-3 amd64??????? basic programs to 
authenticate using MIT Kerberos
ii? libacl1:amd64????????????????? 2.2.53-4 amd64??????? access control 
list - shared library
ii? libattr1:amd64???????????????? 1:2.4.48-4 amd64??????? extended 
attribute handling - shared library
ii? libgssapi-krb5-2:amd64???????? 1.17-3 amd64??????? MIT Kerberos 
runtime libraries - krb5 GSS-API Mechanism
ii? libkrb5-3:amd64??????????????? 1.17-3 amd64??????? MIT Kerberos 
runtime libraries
ii? libkrb5support0:amd64????????? 1.17-3 amd64??????? MIT Kerberos 
runtime libraries - Support library
ii? libnss-winbind:amd64?????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
Samba nameservice integration plugins
ii? libpam-winbind:amd64?????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
Windows domain authentication integration plugin
ii? libsmbclient:amd64???????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
shared library for communication with SMB/CIFS servers
ii? libwbclient0:amd64???????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
Samba winbind client library
ii? python-samba?????????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
Python bindings for Samba
ii? samba????????????????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
SMB/CIFS file, print, and login server for Unix
ii? samba-common?????????????????? 2:4.9.5+dfsg-5+deb10u1 all????????? 
common files used by both the Samba server and client
ii? samba-common-bin?????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
Samba common files used by both the server and the client
ii? samba-dsdb-modules:amd64?????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
Samba Directory Services Database
ii? samba-libs:amd64?????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
Samba core libraries
ii? samba-vfs-modules:amd64??????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
Samba Virtual FileSystem plugins
ii? smbclient????????????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
command-line SMB/CIFS clients for Unix
ii? winbind??????????????????????? 2:4.9.5+dfsg-5+deb10u1 amd64??????? 
service to resolve user and group information from Windows NT servers

-----------

The intent is to manage the system using rsat, and all clients machines 
will be running windows 10 once this is done.

All user data, home directories and shared directories are on srv2, 
located under \brecdata.

If you need any more info, let me know, I am sure I left something 
out.... :o).

Thanks,
Howard

On 08/12/2019 18:18, Howard Fleming via samba wrote:
> I am building a Samba4 setup to replace a Samba3 server I built for 
> small non profit school back in 2012.
>
> It is running CentOS 6.x, samba version 3.6.23-52.el6_10.? Rather than 
> attempt to upgrade this system to Samba4, it makes more sense (to me 
> at least) to build a new server and move the data.
Good plan, at least you start without any bad ideas from an NT4-style
domain
>
> Currently I have 2 samba servers running as virtual machines under 
> kvm.? One is the AD server, the other is a member server that is 
> running the file shares.? The kvm server and the samba servers are all 
> running Debian 10, and I am using the default Debian 10 repos for the 
> samba packages.
>
> The current problem I am running into are the rights on the shares for 
> the users.? When I create a user via aduc, and set the home directory, 
> it gets created as it should, but all users can see all the home 
> directories, including contents.? I am also running into rights issues 
> with the shared directories also.
How are the users home directories being created, are you using 
pam_mkhomedir ?

If so, this could be your problem.
>
> I can join Windows 10 and 7 computers into AD with out any issues, so 
> I am assuming I set something up wrong, either in AD or when I added 
> the 2nd server for file services.
Just a few notes on your files:

I would remove example.com from the search line in the /etc/resolv.conf 
files

You do not need the template lines in the DC smb.conf, you are not 
allowing anyone to login in.

I would also install the libpam-krb5 package on both machines

On the Member server, you have commented out 'idmap config BREC : 
unix_nss_info = yes' which is correct for your version of Samba, but you 
have 'winbind nss info = rfc2307' which is wrong for your Samba version.
You also have:
 ??????? template shell = /bin/bash
 ??????? template homedir = /brecdata/user/%U

Which means that you are not using the RFC2307 attributes in AD, so you 
don't need 'idmap config BREC : unix_nss_info = yes' anyway

You do not need to set 'browseable = yes' on the shares, it is the
default

It might help if you read this:

https://wiki.samba.org/index.php/User_Home_Folders

Rowland