ad-ds-simple-file-server/etc/samba/smb.conf

[global]
   security = ADS
   kerberos method = secrets and keytab
   realm = ${REALM}
   workgroup = ${WORKGROUP}
   netbios name = ${NETBIOS_NAME}

   idmap config * : backend = tdb
   idmap config * : range = 3000-7999

   idmap config ${WORKGROUP} : backend = rid
   idmap config ${WORKGROUP} : range = 10000-999999

   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes
   winbind cache time = 60

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes

   server min protocol = SMB2
   client min protocol = SMB2

   access based share enum = yes

   dedicated keytab file = /var/lib/samba/private/krb5.keytab
   kerberos encryption types = all

   load printers = no
   printcap name = /dev/null
   disable spoolss = yes

   log file = /var/log/samba/log.%m
   max log size = 10000
   logging = file
   log level = 1 auth:5 passdb:5 winbind:3

   include = /etc/samba/generated/shares.conf

[Private]
   path = /data/private
   read only = no
   browseable = yes
   guest ok = no
   vfs objects = acl_xattr full_audit
   full_audit:prefix = %T|%u|%I|%m|%S
   full_audit:success = all
   full_audit:failure = all
   full_audit:syslog = false
   valid users = @"${DOMAIN_USERS_GROUP}"
   hide unreadable = yes
   access based share enum = yes
   ea support = yes
   nt acl support = no

[Public]
   path = /data/public
   read only = no
   browseable = yes
   guest ok = no
   vfs objects = acl_xattr full_audit
   full_audit:prefix = %T|%u|%I|%m|%S
   full_audit:success = all
   full_audit:failure = all
   full_audit:syslog = false
   valid users = @"${PUBLIC_GROUP}"
   force group = "${PUBLIC_GROUP}"
   create mask = 0660
   directory mask = 2770
   inherit permissions = yes
   access based share enum = yes