[Samba] Please criticize my smb.conf

ToddAndMargo ToddAndMargo at zoho.com
Mon Oct 2 19:38:19 UTC 2017


Hi All,

You please look over my smb.conf and make
criticism as appropriate?

This is a workgroup server.
winbind is running
DDNS is also running (DNS [bind] talks to DHCPd)

Many thanks,
-T
Tony Ewell, B.S.E.E.
Owner, Rent-A-Nerd Computer Services
775-265-5150,  9:00 am to 5:00 pm PST/PDT


Warning, this is long winded!


<smb.conf>

; To test this file:  # testparm

; To operate with XP, add the following to the [global] section:
;    lanman auth = yes
;    ntlm auth = yes
; Alternatively, to avoid WannaCry, go to:
;     Enabling NTLMv2 on Windows XP Professional Computers
;     http://www.imss.caltech.edu/node/396
;     You have a shortened version over at 
../MyCDs/Windows/XP/NTLMv2.Enable.txt


; To enable and (re)start Samba under RHEL 7:
;   # systemctl enable smb.service
;   # systemctl enable nmb.service
;   # systemctl start  smb.service
;   # systemctl start  nmb.service

; To enable Win Bind
;   # dnf install samba samba-winbind
;   # systemctl  enable  winbind.service
;   # systemctl  start  winbind.service


; To restart Samba:
;   # systemctl restart smb.service; systemctl restart nmb.service
;   or   # /home/linuxutil/RestartSamba.pl
;

; selinux notes: (gets rid of the access denied errors):
;    ## First, have someone try to log into Samba from a workstation
;
;    # cd /tmp
;    # grep denied /var/log/audit/audit.log > selinuxloginfails
;    # audit2allow -M samba4 -i selinuxloginfails
;    # semodule -i samba4
;    # setenforce 1; getenforce
;
;    # dnf installpolicycoreutils-gui
;    # chcon -t samba_share_t /exports
;    # /usr/sbin/semanage fcontext -a -t samba_share_t "/exports(/.*)?"
;    # /sbin/restorecon -R -v /exports
;    # ausearch -c 'nmbd' --raw | audit2allow -M my-nmbd
;    # semodule -X 300 -i my-nmbd.pp
;    # setsebool -P samba_enable_home_dirs 1
;    # setsebool -P samba_export_all_rw 1
;    # ausearch -c 'winbindd' --raw | audit2allow -M my-winbindd
;    # semodule -X 300 -i my-winbindd.pp
;    # setsebool -P samba_domain_controller on
;    # ausearch -c 'useradd' --raw | audit2allow -M my-useradd
;    # semodule -X 300 -i my-useradd.pp
;
;    to view your SELinux samba settings:
;    # getsebool -a | grep samba
;    # getsebool -a | grep smb



; Note: your need to add the name of the server into 127.0.0.1 
/etc/hosts, e.g.
;       127.0.0.1      FedoraServer.xxxxx.local localhost ...


#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba-share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux 
context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
#

;======================= Global Settings 
=====================================
[global]

    workgroup = xxxxx
    server string = Fedora Samba Server

    volume = Fedora Core, %v
    comment = Samba (NetBIOS) Server on FedoraServer.xxxxx.local
    netbios name = FedoraServer
    netbios aliases = Screws4U!

; user only the specified inerfaces
    interfaces = eno1 127.0.0.1

; deny access to anyone outside the current domain
    hosts deny = ALL
    hosts allow = 192.168.255. 127.0.0.

; Todd note: the second name in the printcap will be the primary share name
;            ONLY if it contains no spaces
; Todd note: remember to use CAPS in the princap for the smb share name
;  printcap name = CUPS
; Note: default print command:   print command = lpr -r -P%p %s
    printcap name = /etc/printcap
    show add printer wizard = No
    load printers = yes
    printing = BSD

    guest account = pcguest
    log file = /var/log/samba/samba-log.%m
;  Example:  log level = 3 passdb:5 auth:10 winbind:2
	log level = 4 passdb:10 auth:10

; The following worked for Windows 95.  Kept for reference only:
;;  case sensitive = yes
;;  short preserve case = yes
;; mangle case = yes
;  preserve case = yes
;  default case = lower
;  short preserve case = yes
;  case sensitive = no

    follow symlinks = yes
    wide links = no
    locking = yes
;  strict locking = yes
    strict locking = no

    security = user
;  security = share

;  update encrypted = yes
;; encrypt passwords = no
;   encrypt passwords = yes
    smb passwd file = /etc/samba/smbpasswd

    unix password sync = Yes
    passwd program = /usr/bin/passwd %u

# passdb backend:
#  smbpasswd - The default smbpasswd backend. Takes a path  to
#              the smbpasswd file as an optional argument.
#  tdbsam    - The  TDB based password storage backend. Takes a
#              path to the  TDB  as  an  optional  argument  (defaults  to
#              passdb.tdb in the private dir directory.
#  ldapsam   - The LDAP based passdb backend. Takes an LDAP URL
#              as an optional argument (defaults to ldap://localhost)
#  Examples of use are:
#        passdb backend = tdbsam:/etc/samba/private/passdb.tdb
#        passdb backend = ldapsam:"ldap://ldap-1.example.com 
ldap://ldap- 2.example.com"
#  Default: passdb backend = smbpasswd
# Note: you can transfer smbpasswd to tdbsam with
#   pdbedit -i smbpasswd -e tdbsam
# Users can be added to tdbsam with
#   pdbedit -a -u username
#
;  passdb backend = tdbsam
    passdb backend = smbpasswd

# Unix users can map to different SMB User names
# touch /etc/samba/smbusers   to start
    username map = /etc/samba/smbusers

# add these if winbind is running
     idmap config * : backend        = tdb
     idmap config * : range          = 1000000-1999999


#  http://www.oreilly.com/openbook/samba/book/ch06_06.html
; run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
; run a specific logon batch file per username
;   logon script = %u.bat
; Note: this script's path is relative path to the [netlogon] path and 
uses forward slashes
#  logon script = scripts/%G.bat
    logon script = scripts/logon.bat
    logon path = /exports/netlogon
    logon drive = X:


# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS 
Server
    wins support = yes
;    wins support = no

; name resolve order = lmhosts host wins bcast
; if winbind is running, use wins host bcast
    name resolve order = wins host bcast

; dns proxy (G)
;          Specifies that nmbd(8) when acting as a WINS server and 
finding that
;          a NetBIOS name has not been registered,  should  treat  the 
NetBIOS
;          name word-for-word as a DNS name and do a lookup with the DNS 
server
;          for that name on behalf of the name-querying client.
;
;          Note that the maximum length for a NetBIOS name is 15 
characters, so
;          the DNS name (or DNS alias) can likewise only be 15 
characters, max-
;          imum.
;
;          nmbd spawns a second copy of  itself  to  do  the  DNS  name 
lookup
;          requests, as doing a name lookup is a blocking action.
;
;          Default: dns proxy = yes
;  dns proxy = no
    dns proxy = yes

;  note: deadtime is in minutes 1440=24hrs 2880=48hrs (2 days)  20160=14days
;  deadtime = 60
;  deadtime = 1440
    deadtime = 20160

; map archive owner execute bit must include 0100
; map system off  group execute bit must include 0010
; map hidden off  world execute bit must include 0001
; Note: after doing all the above map stuff, it is a good idea to do
;       a mass chmod to 2766 (Read Only=off, Archive=on, Hidden=off).
;       And, you definately want hidden to be turned off!!!

; Note: to do a mass attributes change (example):
;       for directories:
;          find /rla -type d -exec chmod 777 {} \;
;       for files:
;          find /rla -type f -exec chmod 766 {} \;

    force create mode = 0000
    create mode = 0777
    force directory mode = 0000
    directory mode = 0777
    map archive = yes
    map system = yes
    map hidden = yes


# [profiles]
#    # https://www.ccs.uky.edu/docs/samba.htm
#    # create mode = 0600
#    # directory mode = 0700
#    create mode = 0777
#    directory mode = 0777
#    path = /exports/profiles/
#    profile acls = yes
#    read only = no
#    writable = yes


[public]
    comment = Public on xxxxx FedoraServer -- Mount as F:
    path = /exports/public
    valid users = @users
    write list = @users
    force group = users
    force user = public

    locking = yes
    oplocks = no
    fake oplocks = no
    level2 oplocks = no
    strict locking = no
    blocking locks = no
    public = no
    writable = yes
    printable = no
    browseable = yes

    create mode = 0777
    force directory mode = 0000
    directory mode = 0777
    map archive = yes
    map system = yes
    map hidden = yes



;note: %U replaces with the name of the session username (user's name in 
lower case)
;note: %u replaces with the name of the current service (user's UNIX 
name in mixed case)
[homes]
    comment = %u.%G' Home/Documents Directory -- Typically mount as G: (UH)
    path=/home/%u/Documents
    valid users = @users
    write list = @users
    read only = no
    create mode = 0750
    public = no
    writable = yes
    printable = no
    browseable = no

    create mode = 0777
    force directory mode = 0000
    directory mode = 0777
    map archive = yes
    map system = yes
    map hidden = yes



[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no
    public = yes
    writeable = no
    printable = yes
#  create mode = 0700


[netlogon]
# not being used as this is a now workgroup server.
# netlogon left in place to copy out the logon.bat to the user's start up.
# These entries left in place in case this server is used as a PDC
# in the future

#  http://www.oreilly.com/openbook/samba/book/ch06_06.html
#  %U session username (the username that the client wanted,
#     not necessarily the same as the one they got).
#  %u UNIX username
#  %S the name of the current service, if any.
#  %G primary group name of %U

; Note:   (G) logon script = scripts/logon.bat  (forward slash)
; controls what is run

    comment = Network Logon Service (X:)
    path = /exports/netlogon
##   public = no
##   writeable = no
##
##   # set browable to "no" if you don't want everyone to be able to 
browse the scripts
##   browsable = yes

    valid users = @users
    write list = @users
    read only = no
    create mode = 0750
    public = no
    writable = yes
    printable = no
    browseable = no

    create mode = 0777
    force directory mode = 0000
    directory mode = 0777
    map archive = yes
    map system = yes
    map hidden = yes


[rla]
    comment = rla root directory -- Typically mount as S:
    path = /rla
    valid users = @users
    write list = @users
    force group = users
    force user = rla
    public = no
    writeable = yes
    map archive = no
    map system = no
    map hidden = no
    browseable = yes
    printable = no

    create mode = 0777
    force directory mode = 0000
    directory mode = 0777
    map archive = yes
    map system = yes
    map hidden = yes

[pub]
    comment = rla public client share -- Typically mount as R:
    path = /rla/pub
    valid users = @users
    write list = @users
    force group = users
    force user = rla
    writeable = yes
    map archive = no
    map system = no
    map hidden = no
    browseable = yes
    printable = no

    create mode = 0777
    force directory mode = 0000
    directory mode = 0777
    map archive = yes
    map system = yes
    map hidden = yes







More information about the samba mailing list