samba - Feb 2020 - Incorrect group name is displayed in folder permission list in Windows

>
> Hi, can we start by seeing your smb.conf from the file server ?

######################################################
#                     Global Config                  #
######################################################

[global]
kerberos method = system keytab
workgroup = NAME
security = ads
realm = NAME.EXAMPLE.COM

# Logging
log file = /var/log/samba/%m.log
log level = 3

# We're using the RID method of mapping SIDs to UID/GID
idmap config NAME : range = 2000000-2999999
idmap config NAME : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb

# Winbind
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no

# Map domain admin account to local root account
# and resolve other "net rpc" issues
username map = /etc/samba/user.map
bind interfaces only = yes
interfaces = lo eth0

# Enable Windows ACL support and make ACLs maximally compatible with NTFS
ACLs.
# Beyond setting the POSIX ownership and permissions for the share
directory, all ACLs
# should be managed in Windows.  See the comment in the Shares section
below for details
# about our standard share configuration (both on the Linux/POSIX side and
on the Windows side
vfs objects = acl_xattr recycle
acl_xattr:default acl style = windows
#acl_xattr:ignore system acls = yes     # PURE EVIL!  If you value your
sanity, don't use this option
map acl inherit = yes
store dos attributes = yes

# Samba version 4.9.x enabled extended attribute support, by default.
# This should be a good thing as it enables clients to make more
intelligent decisions.
# Unfortunately, customer reported that their old Windows 7 CE data
collection device,
# doesn't like the new settings, so we have to revert this feature.
ea support = no


######################################################
#             Global Security Settings               #
######################################################

# Disable SMB1, it's too old and too insecure to be used anymore
server min protocol = SMB2

# Samba AD users will not have access to a shell on linux hosts
template shell = /bin/false

# Netbios is dead, let's make it explicit
disable netbios = yes

# Win10 clients, that have negotiated an encrypted connection,
# are not able to successfully re-connect to shares,
# after being idle for an extended period of time.
# Disabling encryption resolves this issue.
smb encrypt = off

# Hide shares from users that don't have permission to see them
access based share enum = yes


######################################################
#       Automatic creation of home directories       #
######################################################

# !!! Important SELINUX configuration !!!
# For automatic creation of home directories to work,
# you must set two selinux booleans with the following commands:
# setsebool -P samba_create_home_dirs 1
# setsebool -P samba_enable_home_dirs 1
#
# Check that the selinux booleans were correctly set
# getsebool -a | grep samba | grep home
#
# For samba to serve the home dirs, they must be labeled with the
# selinux type 'samba_share_t'
# During the installation of this server a policy was created for the
# /srv/samba/ directory, which ensures all sub-folders/files are labeled
# with samba_share_t.  Therefore, as long as the home folders are located
# under /srv/samba/ this labelling will be taken care of.
# --- End of SELINUX configuration ---

# Home directories will be created at this path with %U being replaced by
# the username
template homedir = /srv/samba/Shares/Home/%U

# This share declaration works in conjunction with a GPO
# When a user logs in for the first time, a new home folder will
# be created for them on the file server and a mapped drive (H:) will
# be created in the Windows profile on their computer.  See the samba wiki
for
# details of how to create the GPO
#
https://wiki.samba.org/index.php/User_Home_Folders#Using_a_Group_Policy_Preference
[Home]
        path = /srv/samba/Shares/Home
        comment = Share for user home dirs
        guest ok = no
        read only = no
        # Recyle bin
        recycle:repository = %U/Recycle_Bin
        recycle:versions = Yes
        recycle:keeptree = Yes
        recycle:touch = Yes
        recycle:exclude = *.tmp,~$*
        recycle:exclude_dir = %U/Recycle_Bin

######################################################
#                  Standard Shares                   #
######################################################

[Shares]
       path = /srv/samba/Shares
       comment = Parent share sets top level Windows file permission
inheritance
       guest ok = no
       read only = no

[Backup]
       path = /srv/samba/Shares/Backup
       comment = Create separate folders, with locked down permissions, for
each application
       guest ok = no
       read only = no

[FTL]
       path = /srv/samba/Shares/FTL
       comment = FTL tools and documents to help with on-site service
       guest ok = no
       read only = no

[Software]
       path = /srv/samba/Shares/Software
       comment = Software for installation via GPO
       guest ok = no
       read only = no

[Top]
       path = /srv/samba/Shares/Top
       comment = Top level file share
       guest ok = no
       read only = no
        # Recyle bin
        recycle:repository = Recycle_Bin/%U
        recycle:versions = Yes
        recycle:keeptree = Yes
        recycle:touch = Yes
        recycle:exclude = *.tmp,~$*
        recycle:exclude_dir = Recycle_Bin

On 12/02/2020 11:16, Mason Schmitt wrote:
>
>     Hi, can we start by seeing your smb.conf from the file server ?
>
>
> ######################################################
> # ? ? ? ? ? ? ? ? ? ? Global Config ? ? ? ? ? ? ? ? ?#
> ######################################################
>
> [global]
> kerberos method = system keytab
> workgroup = NAME
> security = ads
> realm = NAME.EXAMPLE.COM <http://NAME.EXAMPLE.COM>
>
> # Logging
> log file = /var/log/samba/%m.log
> log level = 3
>
> # We're using the RID method of mapping SIDs to UID/GID
> idmap config NAME : range = 2000000-2999999
> idmap config NAME : backend = rid
> idmap config * : range = 10000-999999
> idmap config * : backend = tdb
>
> # Winbind
> winbind use default domain = no
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
>
> # Map domain admin account to local root account
> # and resolve other "net rpc" issues
> username map = /etc/samba/user.map
> bind interfaces only = yes
> interfaces = lo eth0
>
> # Enable Windows ACL support and make ACLs maximally compatible with 
> NTFS ACLs.
> # Beyond setting the POSIX ownership and permissions for the share 
> directory, all ACLs
> # should be managed in Windows.? See the comment in the Shares section 
> below for details
> # about our standard share configuration (both on the Linux/POSIX side 
> and on the Windows side
> vfs objects = acl_xattr recycle
> acl_xattr:default acl style = windows
> #acl_xattr:ignore system acls = yes ? ? # PURE EVIL!? If you value 
> your sanity, don't use this option
> map acl inherit = yes
> store dos attributes = yes
>
> # Samba version 4.9.x enabled extended attribute support, by default.
> # This should be a good thing as it enables clients to make more 
> intelligent decisions.
> # Unfortunately, customer reported that their old Windows 7 CE data 
> collection device,
> # doesn't like the new settings, so we have to revert this feature.
> ea support = no
>
>
> ######################################################
> # ? ? ? ? ? ? Global Security Settings ? ? ? ? ? ? ? #
> ######################################################
>
> # Disable SMB1, it's too old and too insecure to be used anymore
> server min protocol = SMB2
>
> # Samba AD users will not have access to a shell on linux hosts
> template shell = /bin/false
>
> # Netbios is dead, let's make it explicit
> disable netbios = yes
>
> # Win10 clients, that have negotiated an encrypted connection,
> # are not able to successfully re-connect to shares,
> # after being idle for an extended period of time.
> # Disabling encryption resolves this issue.
> smb encrypt = off
>
> # Hide shares from users that don't have permission to see them
> access based share enum = yes
>
>
> ######################################################
> # ? ? ? Automatic creation of home directories ? ? ? #
> ######################################################
>
> # !!! Important SELINUX configuration !!!
> # For automatic creation of home directories to work,
> # you must set two selinux booleans with the following commands:
> # setsebool -P samba_create_home_dirs 1
> # setsebool -P samba_enable_home_dirs 1
> #
> # Check that the selinux booleans were correctly set
> # getsebool -a | grep samba | grep home
> #
> # For samba to serve the home dirs, they must be labeled with the
> # selinux type 'samba_share_t'
> # During the installation of this server a policy was created for the
> # /srv/samba/ directory, which ensures all sub-folders/files are labeled
> # with samba_share_t.? Therefore, as long as the home folders are located
> # under /srv/samba/ this labelling will be taken care of.
> # --- End of SELINUX configuration ---
>
> # Home directories will be created at this path with %U being replaced by
> # the username
> template homedir = /srv/samba/Shares/Home/%U
>
> # This share declaration works in conjunction with a GPO
> # When a user logs in for the first time, a new home folder will
> # be created for them on the file server and a mapped drive (H:) will
> # be created in the Windows profile on their computer.? See the samba 
> wiki for
> # details of how to create the GPO
> # 
>
https://wiki.samba.org/index.php/User_Home_Folders#Using_a_Group_Policy_Preference
> [Home]
> ? ? ? ? path = /srv/samba/Shares/Home
> ? ? ? ? comment = Share for user home dirs
> ? ? ? ? guest ok = no
> ? ? ? ? read only = no
> ? ? ? ? # Recyle bin
> ? ? ? ? recycle:repository = %U/Recycle_Bin
> ? ? ? ? recycle:versions = Yes
> ? ? ? ? recycle:keeptree = Yes
> ? ? ? ? recycle:touch = Yes
> ? ? ? ? recycle:exclude = *.tmp,~$*
> ? ? ? ? recycle:exclude_dir = %U/Recycle_Bin
>
> ######################################################
> # ? ? ? ? ? ? ? ? ?Standard Shares ? ? ? ? ? ? ? ? ? #
> ######################################################
>
> [Shares]
> ? ? ? ?path = /srv/samba/Shares
> ? ? ? ?comment = Parent share sets top level Windows file permission 
> inheritance
> ? ? ? ?guest ok = no
> ? ? ? ?read only = no
>
> [Backup]
> ? ? ? ?path = /srv/samba/Shares/Backup
> ? ? ? ?comment = Create separate folders, with locked down 
> permissions, for each application
> ? ? ? ?guest ok = no
> ? ? ? ?read only = no
>
> [FTL]
> ? ? ? ?path = /srv/samba/Shares/FTL
> ? ? ? ?comment = FTL tools and documents to help with on-site service
> ? ? ? ?guest ok = no
> ? ? ? ?read only = no
>
> [Software]
> ? ? ? ?path = /srv/samba/Shares/Software
> ? ? ? ?comment = Software for installation via GPO
> ? ? ? ?guest ok = no
> ? ? ? ?read only = no
>
> [Top]
> ? ? ? ?path = /srv/samba/Shares/Top
> ? ? ? ?comment = Top level file share
> ? ? ? ?guest ok = no
> ? ? ? ?read only = no
> ? ? ? ? # Recyle bin
> ? ? ? ? recycle:repository = Recycle_Bin/%U
> ? ? ? ? recycle:versions = Yes
> ? ? ? ? recycle:keeptree = Yes
> ? ? ? ? recycle:touch = Yes
> ? ? ? ? recycle:exclude = *.tmp,~$*
> ? ? ? ? recycle:exclude_dir = Recycle_Bin
What is in the username map ?

Rowland

>
> What is in the username map ?
>
  !root = NAME\Administrator NAME\administrator Administrator
administrator