[global]
  workgroup = ${DOMAIN_WORKGROUP}
  realm = ${DOMAIN_REALM}
  netbios name = ${SAMBA_NETBIOS_NAME}
  security = ADS
  kerberos method = secrets and keytab
  dedicated keytab file = /etc/krb5.keytab

  server min protocol = SMB2
  server max protocol = SMB3
  ntlm auth = ntlmv2-only
  server signing = mandatory
  smb encrypt = desired

  winbind use default domain = no
  winbind nss info = rfc2307
  winbind enum users = yes
  winbind enum groups = yes
  idmap config * : backend = tdb
  idmap config * : range = 30000-79999
  idmap config ${DOMAIN_WORKGROUP} : backend = rid
  idmap config ${DOMAIN_WORKGROUP} : range = 10000-29999

  template shell = /bin/false
  template homedir = /home/%D/%U

  map to guest = never
  unix extensions = no
  dos filemode = no
  nt acl support = no

  log file = /var/log/samba/log.%m
  max log size = 1000
  logging = file

[private]
  path = /data/private/%U
  browseable = yes
  read only = no
  valid users = %U
  create mask = 0600
  directory mask = 0700
  root preexec = /usr/local/bin/samba-private-mkdir %U %D
  nt acl support = no
  dos filemode = no

include = /etc/samba/shares.generated.conf