[global]
   security = ADS
   kerberos method = secrets and keytab
   realm = ${REALM}
   workgroup = ${WORKGROUP}

   idmap config * : backend = tdb
   idmap config * : range = 3000-7999

   idmap config ${WORKGROUP} : backend = rid
   idmap config ${WORKGROUP} : range = 10000-999999

   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes

   server min protocol = SMB2
   client min protocol = SMB2

   access based share enumeration = yes

   dedicated keytab file = /var/lib/samba/private/krb5.keytab
   kerberos encryption types = all

   load printers = no
   printcap name = /dev/null
   disable spoolss = yes

   log file = /var/log/samba/log.%m
   max log size = 10000
   logging = file

   include = /etc/samba/generated/shares.conf

[Private]
   path = /data/private
   read only = no
   browseable = yes
   guest ok = no
   valid users = @"${WORKGROUP}\\Domain Users"
   admin users = @"${WORKGROUP}\\Domain Admins"
   hide unreadable = yes
   access based share enumeration = yes
   ea support = yes

[Public]
   path = /data/public
   read only = no
   browseable = yes
   guest ok = no
   valid users = @"${WORKGROUP}\\${PUBLIC_GROUP}"
   force group = "${WORKGROUP}\\${PUBLIC_GROUP}"
   create mask = 0660
   directory mask = 2770
   inherit permissions = yes
   access based share enumeration = yes