Hi
My lab setup:
A windows server 2019, configured as PDC called X
A windows 10 pro workstation, domain member called Y
An Ubuntu 18 server w Samba 4.7, configured as a member server called Z
All are KVM virtual machines on a single host. IP and DNS works fine
between all.
Sharing setup on Samba
Personal home shares in /User, configured in the AD profiles as home
directories \\Z\Users\%username%.
Group shares Finance (Ekonomi), Management (Ledning) and Public (Data) as
/share/ekonomi, /share/ledning and /share/data.
Sharing setup in AD
Groups Finance and Management
Users Bengt (member of Management and Finance), Anders (member of Finance)
and Lars (no app group membership)
What works:
Basic file and folder sharing between all combination of X, Y and Z
Shares on Z can be browsed from X and Y
Domain membership between Z and X (wbinfo etc works fine)
User home shares mapped as U: works fine. Users can only access their own
/User shares
Anders and Bengt can browse and access the two app group shares correctly.
Lars is denied access.
What does NOT work:
I am probably missing something important, but the complexity of mixing
"valid users", Unix permissions and ACL entries makes me dizzy.
However, Domain admins (administrator account) can NOT access any of the
group shares.
anders at hp-srv02:/$ getfacl share/Ekonomi
# file: share/Ekonomi
# owner: nobody
# group: nogroup
user::rwx
user:administrator:rwx
user:30512:rwx
user:31109:rwx
user:nobody:rwx
group::r-x
group:administrator:rwx
group:domain\040admins:rwx
group:ekonomi:rwx
group:nogroup:r-x
mask::rwx
other::---
default:user::rwx
default:user:nobody:rwx
default:group::rwx
default:group:nogroup:rwx
My smb.conf
# Global parameters
[global]
netbios name = HP-SRV02
bind interfaces only = yes
interfaces = lo ens3
realm = DG.LOCAL
server role = MEMBER SERVER
security = ADS
workgroup = DG
username map = /etc/samba/user.map
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
idmap config * : range = 10000-20000
idmap config DG : backend = rid
idmap config DG : range = 30000-40000
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
encrypt passwords = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind expand groups = yes
winbind use default domain = yes
os level = 20
domain master = no
local master = no
preferred master = no
map to guest = bad user
host msdfs = no
client min protocol = SMB2
client max protocol = SMB3
client use spnego = yes
client ntlmv2 auth = yes
unix extensions = no
reset on zero vc = yes
hide unreadable = yes
acl group control = yes
acl map full control = yes
map acl inherit = yes
ea support = yes
vfs objects = acl_xattr
store dos attributes = yes
dos filemode = yes
dos filetimes = yes
restrict anonymous = 2
strict allocate = yes
guest ok = no
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[Users]
comment = "User home directories"
path = /Users
read only = no
force create mode = 0600
force directory mode = 0700
valid users = @"Domain users"
[Profiles]
comment = "Roaming profiles"
path = /share/profiles
create mask = 0770
browseable = yes
writeable = yes
valid users = @"Domain admins",@"Domain users"
[Data]
comment = "User share"
path = /share/data
create mask = 0770
browseable = yes
writeable = yes
guest ok = yes
valid users = @"Domain users"
[Ledning]
comment = "Ledningens dokument"
path = /share/Ledning
guest ok = no
create mask = 0770
browseable = yes
writeable = yes
valid users = @"Domain admins",@"Ledning"
inherit acls = yes
[Ekonomi]
comment = "Ekonomi dokument"
path = /share/Ekonomi
create mask = 0770
guest ok = no
browseable = yes
writeable = yes
valid users = @"Ekonomi",@"Domain
admins","Administrator"
inherit acls = yes