[Samba] Please criticize my smb.conf
Rowland Penny
rpenny at samba.org
Tue Oct 3 12:33:53 UTC 2017
See inline comments
On Mon, 2 Oct 2017 14:01:29 -0700
ToddAndMargo via samba <samba at lists.samba.org> wrote:
> On 10/02/2017 01:06 PM, Rowland Penny via samba wrote:
> > On Mon, 2 Oct 2017 12:38:19 -0700
> > ToddAndMargo via samba <samba at lists.samba.org> wrote:
> >
> >> Hi All,
> >>
> >> You please look over my smb.conf and make
> >> criticism as appropriate?
> >>
> >> This is a workgroup server.
Well you could call it that, I would call it a standalone server ;-)
> >> winbind is running
Why, you do not need this on a standalone server.
> >> DDNS is also running (DNS [bind] talks to DHCPd)
Again why, you wouldn't do this on Windows client.
> >
>
> mumble ...
>
> Server:
> Fedora 26
> samba-4.6.8-0.fc26.x86_64
Sorry, but I couldn't remember what version of Samba you are running.
>
> Workstations (5 of them):
> XP Pro SP3
That I could remember ;-)
OK, here is your smb.conf with my comments:
[global]
workgroup = xxxxx
server string = Fedora Samba Server
volume = Fedora Core, %v ~ this should really only be used on a share
comment = Samba (NetBIOS) Server on FedoraServer.xxxxx.local
netbios name = FedoraServer # You don't actually need this
netbios aliases = Screws4U!
interfaces = eno1 127.0.0.1
hosts deny = ALL
hosts allow = 192.168.255. 127.0.0.
printcap name = /etc/printcap
show add printer wizard = No
load printers = yes # default setting
printing = BSD
guest account = pcguest
log file = /var/log/samba/samba-log.%m
log level = 4 passdb:10 auth:10
follow symlinks = yes # default setting
wide links = no # default setting
locking = yes # default setting
strict locking = no
security = user
smb passwd file = /etc/samba/smbpasswd
unix password sync = Yes
passwd program = /usr/bin/passwd %u
# passdb backend:
# smbpasswd - The default smbpasswd backend. Takes a path to
# the smbpasswd file as an optional argument.
smbpasswd isn't the default anymore (hasn't been for a long time)
It is now tdbsam.
# tdbsam - The TDB based password storage backend. Takes a
# path to the TDB as an optional argument (defaults to
# passdb.tdb in the private dir directory.
# ldapsam - The LDAP based passdb backend. Takes an LDAP URL
# as an optional argument (defaults to ldap://localhost)
# Examples of use are:
# passdb backend = tdbsam:/etc/samba/private/passdb.tdb
# passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap- 2.example.com"
# Default: passdb backend = smbpasswd
# Note: you can transfer smbpasswd to tdbsam with
# pdbedit -i smbpasswd -e tdbsam
# Users can be added to tdbsam with
# pdbedit -a -u username
#
; passdb backend = tdbsam
passdb backend = smbpasswd # suggest changing to tdbsam
# Unix users can map to different SMB User names
# touch /etc/samba/smbusers to start
username map = /etc/samba/smbusers
# add these if winbind is running
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
You seem to be running a standalone server, so don't need winbind, so
don't need the above.
# http://www.oreilly.com/openbook/samba/book/ch06_06.html
; run a specific logon batch file per workstation (machine)
; logon script = %m.bat
; run a specific logon batch file per username
; logon script = %u.bat
; Note: this script's path is relative path to the [netlogon] path and uses forward slashes
# logon script = scripts/%G.bat
logon script = scripts/logon.bat # not used on a standalone server
logon path = /exports/netlogon # not used on a standalone server
logon drive = X: # not used on a standalone server
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS
Server
wins support = yes
; wins support = no
; name resolve order = lmhosts host wins bcast
; if winbind is running, use wins host bcast
name resolve order = wins host bcast # wins has nothing to do with winbind
; dns proxy (G)
; Specifies that nmbd(8) when acting as a WINS server and finding that
; a NetBIOS name has not been registered, should treat the NetBIOS
; name word-for-word as a DNS name and do a lookup with the DNS server
; for that name on behalf of the name-querying client.
;
; Note that the maximum length for a NetBIOS name is 15 characters, so
; the DNS name (or DNS alias) can likewise only be 15 characters, max-
; imum.
;
; nmbd spawns a second copy of itself to do the DNS name lookup
; requests, as doing a name lookup is a blocking action.
;
; Default: dns proxy = yes
; dns proxy = no
dns proxy = yes # default setting
; note: deadtime is in minutes 1440=24hrs 2880=48hrs (2 days) 20160=14days
; deadtime = 60
; deadtime = 1440
deadtime = 20160 # why do want connections to be held open for 2 weeks ?
; map archive owner execute bit must include 0100
; map system off group execute bit must include 0010
; map hidden off world execute bit must include 0001
; Note: after doing all the above map stuff, it is a good idea to do
; a mass chmod to 2766 (Read Only=off, Archive=on, Hidden=off).
; And, you definately want hidden to be turned off!!!
; Note: to do a mass attributes change (example):
; for directories:
; find /rla -type d -exec chmod 777 {} \;
; for files:
; find /rla -type f -exec chmod 766 {} \;
force create mode = 0000
create mode = 0777
force directory mode = 0000
directory mode = 0777
I would only add the above to shares.
map archive = yes # default setting
map system = yes
map hidden = yes
I would only add the above to shares.
# [profiles]
# # https://www.ccs.uky.edu/docs/samba.htm
# # create mode = 0600
# # directory mode = 0700
# create mode = 0777
# directory mode = 0777
# path = /exports/profiles/
# profile acls = yes
# read only = no
# writable = yes
[public]
comment = Public on xxxxx FedoraServer -- Mount as F:
path = /exports/public
valid users = @users
write list = @users
force group = users
force user = public
locking = yes # default setting
oplocks = no
fake oplocks = no # default setting
level2 oplocks = no
strict locking = no
blocking locks = no
public = no # default setting
writable = yes
printable = no # default setting
browseable = yes # default setting
create mode = 0777
force directory mode = 0000 # default setting
directory mode = 0777
map archive = yes # default setting
map system = yes
map hidden = yes
;note: %U replaces with the name of the session username (user's name in lower case)
;note: %u replaces with the name of the current service (user's UNIX name in mixed case)
[homes]
comment = %u.%G' Home/Documents Directory -- Typically mount as G: (UH)
path=/home/%u/Documents
valid users = @users
write list = @users
read only = no
create mode = 0750
public = no # default setting
writable = yes # this is the same as 'read only = no'
printable = no # default setting
browseable = no
create mode = 0777
force directory mode = 0000 # default setting
directory mode = 0777
map archive = yes # default setting
map system = yes
map hidden = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no # default setting
public = yes
writeable = no # default setting
printable = yes
# create mode = 0700
[netlogon]
# not being used as this is a now workgroup server.
# netlogon left in place to copy out the logon.bat to the user's start up.
# These entries left in place in case this server is used as a PDC
# in the future
# http://www.oreilly.com/openbook/samba/book/ch06_06.html
# %U session username (the username that the client wanted,
# not necessarily the same as the one they got).
# %u UNIX username
# %S the name of the current service, if any.
# %G primary group name of %U
; Note: (G) logon script = scripts/logon.bat (forward slash)
; controls what is run
comment = Network Logon Service (X:)
path = /exports/netlogon
## public = no
## writeable = no
##
## # set browable to "no" if you don't want everyone to be able to browse the scripts
## browsable = yes
valid users = @users
write list = @users
read only = no
create mode = 0750
public = no
writable = yes
printable = no
browseable = no
create mode = 0777
force directory mode = 0000
directory mode = 0777
map archive = yes
map system = yes
map hidden = yes
You might as well remove the entire [netlogon], it is not used on a standalone server
[rla]
comment = rla root directory -- Typically mount as S:
path = /rla
valid users = @users
write list = @users
force group = users
force user = rla
public = no # default setting
writeable = yes
map archive = no
map system = no
map hidden = no
browseable = yes
printable = no # default setting
create mode = 0777
force directory mode = 0000 # default setting
directory mode = 0777
map archive = yes # default setting
map system = yes
map hidden = yes
[pub]
comment = rla public client share -- Typically mount as R:
path = /rla/pub
valid users = @users
write list = @users
force group = users
force user = rla
writeable = yes
map archive = no
map system = no # default setting
map hidden = no # default setting
browseable = yes # default setting
printable = no # default setting
create mode = 0777
force directory mode = 0000 # default setting
directory mode = 0777
map archive = yes # default setting
map system = yes
map hidden = yes
The above three parameters are set twice, but differently, which way do you
want them setting ?
Any lines followed by '# default setting' can be removed and will not
affect Samba.
You will need to create all your windows users as Unix & Samba users on
the standalone server, with the same password as on the windows
machines.
You will need to create groups on the standalone server and map these
to your windows groups.
Sorry if some of these sound like teaching your grandmother to suck
eggs, but it is better to say them than not ;-)
Rowland
More information about the samba
mailing list