Hello Forum,

can you please assist me in trying to set up a Samba file server which is integrated into a Samba AD DC? I am almost there but still having issues. I am missing something but I am not sure what and I have been trying this for weeks. My experience: Advanced.

Background:
FS: CentOS 7 with latest updates. Fresh install.
AD DC: CentOS 7 with latest updates. Old system (2011). Samba 4.3.1
Windows Server 2012 as client.
User A is in the group "Domain Users" (once logged into server to create home dir)
User B is in the group "Domain Users"
User Z is in the group "Domain Admins" (once logged into server to create home dir)

- I would like to use SSS for authentication with WINBIND for Samba.
- User should be able to log in using only the username without domain prefix/suffix.
- Access control should be done via Posix ACLs (according to my understanding). I am using the default ext4 partition.
- Samba serves home folders, public and specific shares.
- Shares can be accessed from Windows 10/Server 2012 and Linux
- Recycle function should be enabled but this is not part of my question here (yet?).


These are my steps to install the file server:
1. Set hostname whereever possible. Reverse DNS entry is set.

2. Configure krb5.conf (also setting rdns=false for some old reason)

3. yum -y install sssd realmd ntp adcli oddjob-mkhomedir oddjob samba-winbind-clients samba-winbind samba-common-tools sssd-winbind-idmap
I am not sure if I need samba-winbind-krb5-locator. I doubt it.

4. Set up NTP

5. realm join --membership-software=samba ${DOMAIN} # joint sssd and winbind

6. edit /etc/sssd/sssd.conf
default_domain_suffix = ${DOMAIN}
full_name_format = %1$s
auto_private_groups = true
fallback_homedir = /storage0/data/%u
After configuration: service sssd stop ; rm -rf /var/lib/sss/db/* ; service sssd start

7. yum -y install samba

8. edit /etc/samba/smb.conf
[global]
password server = *
encrypt passwords = yes
invalid users = cdrom bin sys uucp
hosts allow = 127. 192.168.
kerberos method = system keytab
idmap config ADS : range = 2000000-29999999
idmap config ADS : backend = sss
idmap config * : range = 10000-999999
idmap config * : backend = tdb
template shell = /bin/bash
template homedir = /storage0/data/%U
inherit acls = yes
map acl inherit = yes
store dos attributes = yes
realm = ADS.EXAMPLE.COM
security = ads
workgroup = ADS
printcap name = /dev/null
load printers = no
max log size = 50
log level = 3
browseable = yes
acl group control = yes


inherit permissions = Yes
map hidden = yes
strict allocate = no

passdb backend = tdbsam

printing = cups
cups options = raw

[homes]
comment = Home Directories
browseable = No
read only = No
[apps]
path = /storage0/data/backups
read only = no
[backups]
path = /storage0/data/backups
read only = no
[dropbox]
path = /storage0/data/dropbox
read only = no
[public]
path = /storage0/data/public
read only = no
[recycle]
path = /storage0/data/recycle
read only = no
[shared]
path = /storage0/data/shared
read only = no

9. Disable firewalld and selinux for now

10. Create folders:
mkdir -p /storage0/data
cd /storage0/data
mkdir -p apps backups dropbox public recycle shared
chown -R :"domain admins" /storage0/data
chmod -R 2770 *

11. Start file server
systemctl enable winbind; service winbind start
systemctl enable smb; service smb start


Overall, the shares are available and sometimes work and sometimes don't. This is confusing me as I cannot pinpoint the issue. One of my assumptions is, that the configuration of smb.conf is cached and not always loaded from file. Once I managed to get the whole setup to work but after re-installing, I couldn't get it to work anymore.

These are the issues that I am facing (tested on Windows only at the moment):
1. On Windows, User Z can add User Z to the home folder ACL. But not User A or User B.
2. On Windows, User A can add User Z to the home folder ACL. But not User A or User B. (User A is only added via unix rights, not ACL).

This is the log I get, when User A tries to add User B to the ACL;
Code:
[2019/02/19 11:27:47.334230,  2] ../source3/smbd/dosmode.c:136(unix_mode)
  unix_mode(.) inheriting from .
[2019/02/19 11:27:47.334292,  2] ../source3/smbd/dosmode.c:161(unix_mode)
  unix_mode(.) inherit mode 42770
[2019/02/19 11:27:47.334810,  3] ../source3/smbd/nttrans.c:2036(smbd_do_query_security_desc)
  smbd_do_query_security_desc: sd_size = 280.
[2019/02/19 11:27:47.334991,  3] ../source3/smbd/nttrans.c:2036(smbd_do_query_security_desc)
  smbd_do_query_security_desc: sd_size = 52.
[2019/02/19 11:27:47.335357,  3] ../source3/smbd/dir.c:657(dptr_create)
  creating new dirptr 0 for path ., expect_close = 0
[2019/02/19 11:27:47.335411,  3] ../source3/smbd/dir.c:1220(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found . fname=. (.)
[2019/02/19 11:27:47.335446,  3] ../source3/smbd/dir.c:1220(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found .. fname=.. (..)
[2019/02/19 11:27:47.335786,  3] ../source3/smbd/dir.c:1220(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found Neuer Ordner fname=Neuer Ordner (Neuer Ordner)
[2019/02/19 11:27:47.335823,  3] ../source3/smbd/dir.c:1220(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found .cache fname=.cache (.cache)
[2019/02/19 11:27:47.335845,  3] ../source3/smbd/dir.c:1220(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found .config fname=.config (.config)
[2019/02/19 11:27:47.336133,  3] ../source3/smbd/dir.c:1220(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found .bash_history fname=.bash_history (.bash_history)
[2019/02/19 11:27:47.336160,  3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[9] status[STATUS_NO_MORE_FILES] || at ../source3/smbd/smb2_query_directory.c:158
[2019/02/19 11:27:47.336759,  2] ../source3/smbd/dosmode.c:136(unix_mode)
  unix_mode(Neuer Ordner) inheriting from .
[2019/02/19 11:27:47.336823,  2] ../source3/smbd/dosmode.c:161(unix_mode)
  unix_mode(Neuer Ordner) inherit mode 42770
[2019/02/19 11:27:47.337141,  3] ../source3/smbd/nttrans.c:2036(smbd_do_query_security_desc)
  smbd_do_query_security_desc: sd_size = 128.
[2019/02/19 11:27:47.337333,  2] ../source3/smbd/dosmode.c:136(unix_mode)
  unix_mode(.cache) inheriting from .
[2019/02/19 11:27:47.337349,  2] ../source3/smbd/dosmode.c:161(unix_mode)
  unix_mode(.cache) inherit mode 42770
[2019/02/19 11:27:47.337757,  3] ../source3/smbd/nttrans.c:2036(smbd_do_query_security_desc)
  smbd_do_query_security_desc: sd_size = 216.
[2019/02/19 11:27:47.337928,  2] ../source3/smbd/dosmode.c:136(unix_mode)
  unix_mode(.config) inheriting from .
[2019/02/19 11:27:47.337946,  2] ../source3/smbd/dosmode.c:161(unix_mode)
  unix_mode(.config) inherit mode 42770
[2019/02/19 11:27:47.338311,  3] ../source3/smbd/nttrans.c:2036(smbd_do_query_security_desc)
  smbd_do_query_security_desc: sd_size = 216.
[2019/02/19 11:27:47.338481,  2] ../source3/smbd/dosmode.c:136(unix_mode)
  unix_mode(.bash_history) inheriting from .
[2019/02/19 11:27:47.338498,  2] ../source3/smbd/dosmode.c:161(unix_mode)
  unix_mode(.bash_history) inherit mode 42770
[2019/02/19 11:27:47.338526,  2] ../source3/smbd/open.c:1404(open_file)
  stefan opened file .bash_history read=No write=No (numopen=5)
[2019/02/19 11:27:47.338933,  3] ../source3/smbd/nttrans.c:2036(smbd_do_query_security_desc)
  smbd_do_query_security_desc: sd_size = 176.
[2019/02/19 11:27:47.339209,  2] ../source3/smbd/close.c:805(close_normal_file)
  stefan closed file .bash_history (numopen=2) NT_STATUS_OK
[2019/02/19 11:27:47.339942,  0] ../source3/smbd/posix_acls.c:2081(create_canon_ace_lists)
  create_canon_ace_lists: unable to map SID S-1-5-21-23843569-2327079851-3003975642-1108 to uid or gid.
[2019/02/19 11:27:47.342417,  2] ../source3/smbd/dosmode.c:136(unix_mode)
  unix_mode(.) inheriting from .
[2019/02/19 11:27:47.342454,  2] ../source3/smbd/dosmode.c:161(unix_mode)
  unix_mode(.) inherit mode 42770
[2019/02/19 11:27:47.342842,  3] ../source3/smbd/nttrans.c:2036(smbd_do_query_security_desc)
  smbd_do_query_security_desc: sd_size = 280.
[2019/02/19 11:27:47.625637,  3] ../source3/smbd/service.c:1120(close_cnum)
  192.168.0.33 (ipv4:192.168.0.33:60679) closed connection to service IPC$

Do you have any idea how to tackle this issue? This seems to be a permission issue but I am not sure where or how.