[Samba] Please criticize my smb.conf
ToddAndMargo
ToddAndMargo at zoho.com
Mon Oct 2 19:38:19 UTC 2017
Hi All,
You please look over my smb.conf and make
criticism as appropriate?
This is a workgroup server.
winbind is running
DDNS is also running (DNS [bind] talks to DHCPd)
Many thanks,
-T
Tony Ewell, B.S.E.E.
Owner, Rent-A-Nerd Computer Services
775-265-5150, 9:00 am to 5:00 pm PST/PDT
Warning, this is long winded!
<smb.conf>
; To test this file: # testparm
; To operate with XP, add the following to the [global] section:
; lanman auth = yes
; ntlm auth = yes
; Alternatively, to avoid WannaCry, go to:
; Enabling NTLMv2 on Windows XP Professional Computers
; http://www.imss.caltech.edu/node/396
; You have a shortened version over at
../MyCDs/Windows/XP/NTLMv2.Enable.txt
; To enable and (re)start Samba under RHEL 7:
; # systemctl enable smb.service
; # systemctl enable nmb.service
; # systemctl start smb.service
; # systemctl start nmb.service
; To enable Win Bind
; # dnf install samba samba-winbind
; # systemctl enable winbind.service
; # systemctl start winbind.service
; To restart Samba:
; # systemctl restart smb.service; systemctl restart nmb.service
; or # /home/linuxutil/RestartSamba.pl
;
; selinux notes: (gets rid of the access denied errors):
; ## First, have someone try to log into Samba from a workstation
;
; # cd /tmp
; # grep denied /var/log/audit/audit.log > selinuxloginfails
; # audit2allow -M samba4 -i selinuxloginfails
; # semodule -i samba4
; # setenforce 1; getenforce
;
; # dnf installpolicycoreutils-gui
; # chcon -t samba_share_t /exports
; # /usr/sbin/semanage fcontext -a -t samba_share_t "/exports(/.*)?"
; # /sbin/restorecon -R -v /exports
; # ausearch -c 'nmbd' --raw | audit2allow -M my-nmbd
; # semodule -X 300 -i my-nmbd.pp
; # setsebool -P samba_enable_home_dirs 1
; # setsebool -P samba_export_all_rw 1
; # ausearch -c 'winbindd' --raw | audit2allow -M my-winbindd
; # semodule -X 300 -i my-winbindd.pp
; # setsebool -P samba_domain_controller on
; # ausearch -c 'useradd' --raw | audit2allow -M my-useradd
; # semodule -X 300 -i my-useradd.pp
;
; to view your SELinux samba settings:
; # getsebool -a | grep samba
; # getsebool -a | grep smb
; Note: your need to add the name of the server into 127.0.0.1
/etc/hosts, e.g.
; 127.0.0.1 FedoraServer.xxxxx.local localhost ...
#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba-share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux
context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
#
;======================= Global Settings
=====================================
[global]
workgroup = xxxxx
server string = Fedora Samba Server
volume = Fedora Core, %v
comment = Samba (NetBIOS) Server on FedoraServer.xxxxx.local
netbios name = FedoraServer
netbios aliases = Screws4U!
; user only the specified inerfaces
interfaces = eno1 127.0.0.1
; deny access to anyone outside the current domain
hosts deny = ALL
hosts allow = 192.168.255. 127.0.0.
; Todd note: the second name in the printcap will be the primary share name
; ONLY if it contains no spaces
; Todd note: remember to use CAPS in the princap for the smb share name
; printcap name = CUPS
; Note: default print command: print command = lpr -r -P%p %s
printcap name = /etc/printcap
show add printer wizard = No
load printers = yes
printing = BSD
guest account = pcguest
log file = /var/log/samba/samba-log.%m
; Example: log level = 3 passdb:5 auth:10 winbind:2
log level = 4 passdb:10 auth:10
; The following worked for Windows 95. Kept for reference only:
;; case sensitive = yes
;; short preserve case = yes
;; mangle case = yes
; preserve case = yes
; default case = lower
; short preserve case = yes
; case sensitive = no
follow symlinks = yes
wide links = no
locking = yes
; strict locking = yes
strict locking = no
security = user
; security = share
; update encrypted = yes
;; encrypt passwords = no
; encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
unix password sync = Yes
passwd program = /usr/bin/passwd %u
# passdb backend:
# smbpasswd - The default smbpasswd backend. Takes a path to
# the smbpasswd file as an optional argument.
# tdbsam - The TDB based password storage backend. Takes a
# path to the TDB as an optional argument (defaults to
# passdb.tdb in the private dir directory.
# ldapsam - The LDAP based passdb backend. Takes an LDAP URL
# as an optional argument (defaults to ldap://localhost)
# Examples of use are:
# passdb backend = tdbsam:/etc/samba/private/passdb.tdb
# passdb backend = ldapsam:"ldap://ldap-1.example.com
ldap://ldap- 2.example.com"
# Default: passdb backend = smbpasswd
# Note: you can transfer smbpasswd to tdbsam with
# pdbedit -i smbpasswd -e tdbsam
# Users can be added to tdbsam with
# pdbedit -a -u username
#
; passdb backend = tdbsam
passdb backend = smbpasswd
# Unix users can map to different SMB User names
# touch /etc/samba/smbusers to start
username map = /etc/samba/smbusers
# add these if winbind is running
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
# http://www.oreilly.com/openbook/samba/book/ch06_06.html
; run a specific logon batch file per workstation (machine)
; logon script = %m.bat
; run a specific logon batch file per username
; logon script = %u.bat
; Note: this script's path is relative path to the [netlogon] path and
uses forward slashes
# logon script = scripts/%G.bat
logon script = scripts/logon.bat
logon path = /exports/netlogon
logon drive = X:
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS
Server
wins support = yes
; wins support = no
; name resolve order = lmhosts host wins bcast
; if winbind is running, use wins host bcast
name resolve order = wins host bcast
; dns proxy (G)
; Specifies that nmbd(8) when acting as a WINS server and
finding that
; a NetBIOS name has not been registered, should treat the
NetBIOS
; name word-for-word as a DNS name and do a lookup with the DNS
server
; for that name on behalf of the name-querying client.
;
; Note that the maximum length for a NetBIOS name is 15
characters, so
; the DNS name (or DNS alias) can likewise only be 15
characters, max-
; imum.
;
; nmbd spawns a second copy of itself to do the DNS name
lookup
; requests, as doing a name lookup is a blocking action.
;
; Default: dns proxy = yes
; dns proxy = no
dns proxy = yes
; note: deadtime is in minutes 1440=24hrs 2880=48hrs (2 days) 20160=14days
; deadtime = 60
; deadtime = 1440
deadtime = 20160
; map archive owner execute bit must include 0100
; map system off group execute bit must include 0010
; map hidden off world execute bit must include 0001
; Note: after doing all the above map stuff, it is a good idea to do
; a mass chmod to 2766 (Read Only=off, Archive=on, Hidden=off).
; And, you definately want hidden to be turned off!!!
; Note: to do a mass attributes change (example):
; for directories:
; find /rla -type d -exec chmod 777 {} \;
; for files:
; find /rla -type f -exec chmod 766 {} \;
force create mode = 0000
create mode = 0777
force directory mode = 0000
directory mode = 0777
map archive = yes
map system = yes
map hidden = yes
# [profiles]
# # https://www.ccs.uky.edu/docs/samba.htm
# # create mode = 0600
# # directory mode = 0700
# create mode = 0777
# directory mode = 0777
# path = /exports/profiles/
# profile acls = yes
# read only = no
# writable = yes
[public]
comment = Public on xxxxx FedoraServer -- Mount as F:
path = /exports/public
valid users = @users
write list = @users
force group = users
force user = public
locking = yes
oplocks = no
fake oplocks = no
level2 oplocks = no
strict locking = no
blocking locks = no
public = no
writable = yes
printable = no
browseable = yes
create mode = 0777
force directory mode = 0000
directory mode = 0777
map archive = yes
map system = yes
map hidden = yes
;note: %U replaces with the name of the session username (user's name in
lower case)
;note: %u replaces with the name of the current service (user's UNIX
name in mixed case)
[homes]
comment = %u.%G' Home/Documents Directory -- Typically mount as G: (UH)
path=/home/%u/Documents
valid users = @users
write list = @users
read only = no
create mode = 0750
public = no
writable = yes
printable = no
browseable = no
create mode = 0777
force directory mode = 0000
directory mode = 0777
map archive = yes
map system = yes
map hidden = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
public = yes
writeable = no
printable = yes
# create mode = 0700
[netlogon]
# not being used as this is a now workgroup server.
# netlogon left in place to copy out the logon.bat to the user's start up.
# These entries left in place in case this server is used as a PDC
# in the future
# http://www.oreilly.com/openbook/samba/book/ch06_06.html
# %U session username (the username that the client wanted,
# not necessarily the same as the one they got).
# %u UNIX username
# %S the name of the current service, if any.
# %G primary group name of %U
; Note: (G) logon script = scripts/logon.bat (forward slash)
; controls what is run
comment = Network Logon Service (X:)
path = /exports/netlogon
## public = no
## writeable = no
##
## # set browable to "no" if you don't want everyone to be able to
browse the scripts
## browsable = yes
valid users = @users
write list = @users
read only = no
create mode = 0750
public = no
writable = yes
printable = no
browseable = no
create mode = 0777
force directory mode = 0000
directory mode = 0777
map archive = yes
map system = yes
map hidden = yes
[rla]
comment = rla root directory -- Typically mount as S:
path = /rla
valid users = @users
write list = @users
force group = users
force user = rla
public = no
writeable = yes
map archive = no
map system = no
map hidden = no
browseable = yes
printable = no
create mode = 0777
force directory mode = 0000
directory mode = 0777
map archive = yes
map system = yes
map hidden = yes
[pub]
comment = rla public client share -- Typically mount as R:
path = /rla/pub
valid users = @users
write list = @users
force group = users
force user = rla
writeable = yes
map archive = no
map system = no
map hidden = no
browseable = yes
printable = no
create mode = 0777
force directory mode = 0000
directory mode = 0777
map archive = yes
map system = yes
map hidden = yes
More information about the samba
mailing list