Peter Milesson
2023-Jan-14 14:45 UTC
[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility
Hi folks, Presently I have got an ageing Samba member server (4.10.16) under CentOS 7.9, so, I'm setting up a new Samba member server to replace the old server. I have made an initial installation with Debian Bookworm, as I want to keep at least Samba fairly up to date. It's a small Samba based domain (Louis' packages 4.15.7) with about 15 users and a few Windows based production machine controllers. There are several groups, where almost everybody has got a specific mix of access permissions to different shares. Mostly, a specific group has got full permissions on a share, and I want to keep inheritance through Windows ACLs, unless otherwise set up for specific folders inside that share.? Except for data shares, there are user profiles (using folder redirection) stored on the old server and they are also going to be migrated to the new box. The domain is mostly managed with Microsoft's RSAT tools (users/machines/shares/GPOs). There are no Linux users and will never be, except administrative user accounts for common Linux administration tasks. I want the shares in the new server to have maximum possible Windows server compatibility to minimize quirks and non standard behavior. So I kindly ask the list for comments on my configuration. After carefully reading the Wiki pages and the list, I have come up with the following global smb.conf. If you find something that is missing or otherwise wrong, I would be very grateful for comments/suggestions. I have intentionally left out the shares, as they will be set up later. Best regards, Peter [global] ?? realm = SAMDOM.SPLAT ?? workgroup = SAMDOM ?? security = ads ?? server role = member server ?? kerberos method = secrets and keytab ?? dedicated keytab file = /etc/krb5.keytab ?? winbind refresh tickets = yes ?? restrict anonymous = 2 ?? client signing = mandatory ?? disable netbios = yes ?? smbports = 445 ?? idmap config * : backend = tdb ?? idmap config * : range = 3000-9999 ?? idmap config SAMDOM : backend = rid ?? idmap config SAMDOM : range = 10000-99999 ?? template homedir = /home/%U ?? template shell = /sbin/nologin ?? username map = /etc/samba/user.map ?? vfs objects = acl_xattr ?? acl group control = yes ?? inherit owner = windows and linux ?? inherit acls = yes ?? map acl inherit = yes #NOTE!!! NO during setup, YES during operation #? acl_xattr:ignore system acls = yes ?? disable spoolss = yes ?? printcap name = /dev/null ?? log level = 1 ?? timestamp logs = yes ?? debug uid = yes ?? debug timestamp = yes #NOTE!!! YES during testing, NO during operation ?? winbind enum groups = yes ?? winbind enum users = yes # Do something sensible when Samba crashes: mail the admin a backtrace ?? panic action = /usr/share/samba/panic-action %d
Rowland Penny
2023-Jan-14 15:39 UTC
[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility
On 14/01/2023 14:45, Peter Milesson via samba wrote:> Hi folks, > > Presently I have got an ageing Samba member server (4.10.16) under > CentOS 7.9, so, I'm setting up a new Samba member server to replace the > old server. I have made an initial installation with Debian Bookworm, as > I want to keep at least Samba fairly up to date.You are now ahead on the OS (bookworm hasn't been released yet).> > It's a small Samba based domain (Louis' packages 4.15.7)And behind with Samba, the latest is 4.17.4 I also cannot recommend using Louis's repo, it hasn't been updated for quite sometime and it might never be updated again. I suggest that you use Debian Bullseye and Samba from backports, this will get you Samba 4.17.4 with about 15> users and a few Windows based production machine controllers. There are > several groups, where almost everybody has got a specific mix of access > permissions to different shares. Mostly, a specific group has got full > permissions on a share, and I want to keep inheritance through Windows > ACLs, unless otherwise set up for specific folders inside that share. > Except for data shares, there are user profiles (using folder > redirection) stored on the old server and they are also going to be > migrated to the new box. The domain is mostly managed with Microsoft's > RSAT tools (users/machines/shares/GPOs). There are no Linux users and > will never be, except administrative user accounts for common Linux > administration tasks.You are a bit wrong there, because you are using the 'rid' idmap backend, all your AD users will be Linux users.> > I want the shares in the new server to have maximum possible Windows > server compatibility to minimize quirks and non standard behavior. So I > kindly ask the list for comments on my configuration.As you have only Windows clients, I suggest you set the permissions from Windows, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs and here: https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles Because of the above, I would remove a few lines from your smb.conf: acl group control = yes inherit owner = windows and linux inherit acls = yes When creating your shares, only add the lines shown in the links above.