first progress

etc/samba/smb.conf

@@ -0,0 +1,60 @@
+[global]
+   security = ADS
+   kerberos method = secrets and keytab
+   realm = ${REALM}
+   workgroup = ${WORKGROUP}
+
+   idmap config * : backend = tdb
+   idmap config * : range = 3000-7999
+
+   idmap config ${WORKGROUP} : backend = rid
+   idmap config ${WORKGROUP} : range = 10000-999999
+
+   winbind use default domain = yes
+   winbind enum users = yes
+   winbind enum groups = yes
+
+   vfs objects = acl_xattr
+   map acl inherit = yes
+   store dos attributes = yes
+
+   server min protocol = SMB2
+   client min protocol = SMB2
+
+   access based share enumeration = yes
+
+   dedicated keytab file = /var/lib/samba/private/krb5.keytab
+   kerberos encryption types = all
+
+   load printers = no
+   printcap name = /dev/null
+   disable spoolss = yes
+
+   log file = /var/log/samba/log.%m
+   max log size = 10000
+   logging = file
+
+   include = /etc/samba/generated/shares.conf
+
+[Private]
+   path = /data/private
+   read only = no
+   browseable = yes
+   guest ok = no
+   valid users = @"${WORKGROUP}\\Domain Users"
+   admin users = @"${WORKGROUP}\\Domain Admins"
+   hide unreadable = yes
+   access based share enumeration = yes
+   ea support = yes
+
+[Public]
+   path = /data/public
+   read only = no
+   browseable = yes
+   guest ok = no
+   valid users = @"${WORKGROUP}\\${PUBLIC_GROUP}"
+   force group = "${WORKGROUP}\\${PUBLIC_GROUP}"
+   create mask = 0660
+   directory mask = 2770
+   inherit permissions = yes
+   access based share enumeration = yes