samba - Oct 2022 - editing samba-share ACLs etc from Windows

On 20/10/2022 09:28, Stefan G. Weichinger via samba wrote:
> This is a smb.conf the list has seen several times already ;-)
> 
> Debian 11.5, btw
> 
> I quote the conf, and only the main share for a first view. And I edit 
> the realm etc
> 
> This is a grown config over years, so there are many commented lines in 
> there already.
> 
> ->
> 
> # cat /etc/samba/smb.conf
> # This file is managed remotely, all changes will be lost
> 
> [global]
> workgroup = BUERO
> realm = MYDOM.AT
> netbios name = SERVER
> 
> security = ADS
> map to guest = Bad User
> username map = /etc/samba/smbusers
> 
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
> 
> #winbind enum users = Yes
> #winbind enum groups = Yes
> winbind use default domain = yes
> 
> winbind offline logon = yes
> 
> # Use settings from AD for login shell and home directory
> winbind nss info = template
That is interesting, mainly because you are using the idmap 'rid' 
backend, you can only use rfc2307 attributes from AD if you use the 
idmap 'ad' backend, so you might as well remove those two lines.
> template shell = /bin/bash
> template homedir = /mnt/samba/Daten/%U
> 
> # obsolete with 4.8.x
> #map untrusted to domain = Yes
> #winbind trusted domains only = no
> 
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> 
> # idmap config for domain BUERO
> idmap config BUERO:backend = rid
> idmap config BUERO:range = 10000-99999
> 
> load printers = no
> printing = bsd
> printcap name = /dev/null
> 
> # turn off roaming profiles
> logon path = ""
> logon home = ""
> 
> hosts allow = localhost 192.168.16. 172.32.99.
> 
> log level = 1
> log file = /var/log/samba/%m.log
> max log size = 150000
> 
> # server min protocol = SMB2
> # server max protocol = SMB2
> 
> #strict sync = yes
> 
> # ACLs
>  ????store dos attributes = Yes
>  ????map acl inherit = Yes
>  ????#vfs objects = acl_xattr full_audit
>  ????vfs objects = acl_xattr
> 
> # Audit settings
> full_audit:prefix = %u|%I|%m|%S
> full_audit:failure = connect
> full_audit:success = mkdir rmdir read pread write pwrite rename unlink
> full_audit:facility = local5
> full_audit:priority = notice
> 
You might as well comment out the audit settings, you are not using them.
> # 2021-dec-30 allow domain admin in
> min domain uid = 0
> 
> 
> [homes]
>  ????comment??????????????????????? = Home Directory
>  ????guest ok?????????????????????? = no
>  ????read only????????????????????? = no
>  ????valid users??????????????????? = %S
>  ??????? invalid users = root, bin, daemon, adm, sync, shutdown, halt, 
> mailnewsuucp, operator
>  ??????? browseable = No
> 
> [daten]
>  ????comment = Daten
>  ????path = /mnt/samba/
>  ????read only = No
>  ????create mask = 0775
>  ????directory mask = 02775
>  ????force directory mode = 0775
>  ????#wide links = yes
>  ????#veto oplock files = /*.DAT/*.dat/
>  ????#oplocks = False
>  ????#level2 oplocks = False
> 
OK, where does it say to add all those extra lines to the share ? It 
certainly doesn't say it here:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

You didn't post the share permissions I asked for, is it possible you 
can do so ?

Rowland

Am 20.10.22 um 11:13 schrieb Rowland Penny via samba:
>> # Use settings from AD for login shell and home directory
>> winbind nss info = template
> 
> That is interesting, mainly because you are using the idmap 'rid' 
> backend, you can only use rfc2307 attributes from AD if you use the 
> idmap 'ad' backend, so you might as well remove those two lines.
> 
>> template shell = /bin/bash
>> template homedir = /mnt/samba/Daten/%U
The lines above or below your comment?
>> # ACLs
>> ?????store dos attributes = Yes
>> ?????map acl inherit = Yes
>> ?????#vfs objects = acl_xattr full_audit
>> ?????vfs objects = acl_xattr
>>
>> # Audit settings
>> full_audit:prefix = %u|%I|%m|%S
>> full_audit:failure = connect
>> full_audit:success = mkdir rmdir read pread write pwrite rename unlink
>> full_audit:facility = local5
>> full_audit:priority = notice
>>
> 
> You might as well comment out the audit settings, you are not using them.
Sure, understood. Disabled that a while ago.
>> [daten]
>> ?????comment = Daten
>> ?????path = /mnt/samba/
>> ?????read only = No
>> ?????create mask = 0775
>> ?????directory mask = 02775
>> ?????force directory mode = 0775
>> ?????#wide links = yes
>> ?????#veto oplock files = /*.DAT/*.dat/
>> ?????#oplocks = False
>> ?????#level2 oplocks = False
>>
> 
> OK, where does it say to add all those extra lines to the share ? It 
> certainly doesn't say it here:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
As mentioned: historic and grown config ...
> You didn't post the share permissions I asked for, is it possible you 
> can do so ?
Where do I take these from?

thanks