Using Samba 4.6.4 AD DC on the server domain controller itself, and using Windows ACLs to control the share and the security.
Pre Making-a-Share on the Domain Controller:
Make sure Samba was compiled with ACL support. Check with the following command:
$ smbd -b | grep HAVE_LIBACL HAVE_LIBACL
If “HAVE_LIBACL” is not found, then Samba was compiled without extended ACL support. If you compiled Samba yourself, see Samba Dependencies Required to Build Samba.
The link also states you should add SeDiskOperatorPrivilege to the Domain Admins. I made the shares with the privilege and without the privilege, and it’s the same result. They both work.
Making the share folder.
$ mkdir -p /samba/documents/
Change the group permission to “Full Control”
$ chmod g=rwx /samba/documents/
Add the new share to your smb.conf.
[documents] path = /samba/documents/ read only = no
Changing the Share Permissions and Security for the Share:
Note: When access the Computer/Manage of the Samba Domain Server using Microsoft OS and trying to click on the System Tools to access the Sharing Folder, it gives this message. Just click on the OK button and it goes away.
Using the Domain administrator, making only Domain Users has Full Control of the Docs share and no one else.
And making Domain Admins Full Control and Domain Users only Read access.