[global]
# update or die
server min protocol = SMB3
smb ports = 445
use sendfile = yes
winbind max domain connections = 10

# disable attack vectors
load printers = no
disable spoolss = yes
disable netbios = yes

# auto-create home directories with pam_mkhomedir
obey pam restrictions = yes

template homedir = /home/%U@%D
template shell = /bin/bash

# domain settings
security = ads
kerberos method = secrets and keytab
realm = {{ domain | upper }}
workgroup = {{ domain | split('.') | first | upper }}

idmap config * : backend = sss
idmap config * : range = 200000-2147483647

[homes]
comment = home directory
valid users = %S "@domain admins@{{ domain }}"
admin users = "@domain admins@{{ domain }}"
browseable = no
read only = no
create mask = 0700
directory mask = 0700
vfs objects = acl_xattr
map acl inherit = yes
inherit acls = yes
inherit permissions = yes

# TODO parametrize this somehow
#[profiles]
#comment = Users profiles
#path = /home/profiles
#read only = no
#browsable = yes
#create mask = 0600
#directory mask = 0700
#vfs objects = acl_xattr
#map acl inherit = yes
##inherit acls = yes # default on for acl_xattr
## inherit permissions = yes
#
#[ucilnice_d]
#comment = Users profiles
#path = /home/ucilnice_d
#read only = no
#guest ok = yes
#browsable = yes
#create mask = 0600
#directory mask = 0700
#vfs objects = acl_xattr
#map acl inherit = yes
##inherit acls = yes # default on for acl_xattr
## inherit permissions = yes