<pre>
dnf install samba samba-client samba-winbind samba-winbind-clients krb5-workstation -y
</pre>

<pre>
systemctl enable --now {smb,nmb}
firewall-cmd --permanent --zone=public --add-service=samba
firewall-cmd --reload
</pre>

<pre>
cat << EOF >> /etc/hosts
10.1.0.20   fs1.augin.ru fs1
EOF

</pre>
<pre>
cat << EOF > /etc/krb5.conf.d/augin.ru
[libdefaults]
 default_realm = DC1.AUGIN.RU

[realms]
 DC1.AUGIN.RU = {
  kdc = dc1.augin.ru
  admin_server = dc1.augin.ru
 }

 AUGIN.RU = {
  kdc = dc1.augin.ru
 }

[domain_realm]
 dc1.augin.ru = DC1.AUGIN.RU
 .dc1.augin.ru = DC1.AUGIN.RU
EOF

</pre>

<pre>
cat << EOF > /etc/samba/smb.conf
[global]
   workgroup = AUGIN
   security = ads

   kerberos method = secrets and keytab
   realm = AUGIN.RU
   winbind use default domain = true
   winbind enum groups = Yes
   winbind enum users = Yes
   password server = dc1.augin.ru
   idmap config * : range = 16777216-33554431
   idmap config * : backend = autorid
   template homedir = /home/%U
   template shell = /sbin/nologin
   winbind offline logon = false

   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

[homes]
comment = %U Home dir
path = /home/%U
browseable = no
writable = yes
inherit acls = yes
map acl inherit = yes
root preexec = /etc/samba/makedir.sh %U
veto files = /*.vault/*.code/*.neitrino/*.mp3/

[disk1$]
comment = disk1
path = /home
public = yes
writable = yes
#корзина
recycle:repository = .recycle/%U
recycle:keeptree = Yes
recycle:touch = Yes
recycle:versions = Yes
recycle:maxsize = 0
recycle:exclude = *.tmp, ~\$*
recycle:exclude_dir = /tmp

EOF

</pre>

<pre>
net ads join -U Administrator 
</pre>
<pre>
authselect select winbind --force
systemctl enable winbind --now
</pre>
<pre>
net ads info
wbinfo -u
systemctl restart smb nmb winbind
</pre>

<pre>
cat << EOF > /etc/samba/makedir.sh
#!/bin/bash

if [ ! -d /home/\$1 ]; then
        mkdir /home/\$1
        chmod g+s /home/\$1
        chown "\$1" /home/\$1
        chmod 770 /home/\$1
        setfacl -m g:"domain admins":rwx /home/\$1
        setfacl -d -m g:"domain admins":rwx /home/\$1
        setfacl -m u:"\$1":rwx /home/\$1
        setfacl -d -m u:"\$1":rwx /home/\$1
fi
exit 0
EOF
chmod +x /etc/samba/makedir.sh

</pre>

<pre>
setfacl -R -m g:"domain admins":rwx /home
setfacl -R -d -m g:"domain admins":rwx /home
</pre>

nano acl_users.sh
<pre>
#!/bin/bash

for D in *; do
if [ -d "${D}" ]; then
echo "${D}"   # your processing here
setfacl -R -d -m u:"${D}":rwx /home/disk1/users/${D}
setfacl -R -m u:"${D}":rwx /home/disk1/users/${D}

fi

</pre>