OK, I typed out your testparm output so I can comment on it, it would have saved me that if you had cut & pasted it.
I have also slightly rearranged it.
[global]
workgroup = SPLODGE
security = ADS
realm = SPLODGE.LOCAL
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
idmap config * : backend = tdb
Nothing wrong with those lines, Apart from you appear to be using ‘.local’ as your TLD, that is reserved for Bonjour and Avahi.
Sorry, but it all goes downhill from there.
winbind enum groups = yes
winbind enum users = yes
You do not require the two ‘enum’ lines, Samba will work without them,
if you use ‘getent’ you just have to use it in the format:
‘getent passwd USERNAME’
winbind nss info = rfc2307
That line is only used with the ‘ad’ idmap end.
create mask = 0664
directory mask = 0775
Those are ‘old school’, either set the directory permisions with setfacl
or from Windows
map archive = no
Not much point in setting that, it is overridden.
[share]
comment = Shared Folder
path = /var/share/share
read only = no
valid users = SPLODGE.LOCAL\DOMAIN USERS
I suggest that you do not use ‘valid users’, use setfacl or Windows,
but if you must use it, the Value would be ‘SPLODGE\domain users’
(including the single quotes).
Finally the really big one:
You have:
idmap config * : backend = tdb
It isn’t enough.
You need something like this:
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SPLODGE : backend = rid
idmap config SPLODGE : range = 10000-999999
If you want your Samba users to logon directly to the computer,
they will require a shell that allows them:
template shell = /bin/bash
And a home directory to log into:
template homedir = /home/%U
Once the smb.conf is setup correctly, you will not need sssd, so you can turn it off.
Questions ?